Hi Apple Team & Community,
The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains  MDM_CAN_REQUEST_PSSO_CONFIG and set to true
There are contradictory claims mentioned in Document,
- In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below
>>>>> Response
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 558
{
    "code": "com.apple.psso.required",
    "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM",
    "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM",
    "details": {
        "Package": {
            "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest"
        },
        "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile",
        "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth"
    }
}
- But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below
>>>>> Response
HTTP/1.1 403 Forbidden
Content-Type: application/xml
Content-Length: 601
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Code</key>
    <string>com.apple.psso.required</string>
    <key>Details</key>
    <dict>
        <key>ProfileURL</key>
        <string>https://mdmserver.example.com/psso.mobileconfig</string>
        <key>Package</key>
        <dict>
            <key>ManifestURL</key>
            <string>https://mdmserver.example.com/psso-app.plist</string>
        </dict>
        <key>AuthURL</key>
        <string>https://idp.example.com/authenticate</string>
    </dict>
</dict>
</plist>
From Github I assume that both Response Types are welcomed hence I tried with Both
- 
Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIGand set totrueto https://platform-sso-node-server.vercel.app/redirectedDEPJSON
- 
Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIGand set totrueto https://platform-sso-node-server.vercel.app/redirectedDEPXML
In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears
Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?
Mistakenly I was using configuration_web_url in DefineProfile API  for the macOS Device hence the 403 ended up in Failure ,
Tried Removing this and allowed device to enroll using url as in DefineProfile API   working now , Thanks
