Platform SSO duplicate registration notifications after cancelled user registration during Setup Assistant / after login

We are implementing a Platform SSO extension on macOS and are seeing repeated registration notifications from AppSSOAgent for the same unresolved registration state.

We are trying to understand whether this is expected Platform SSO behavior, or whether our extension should be returning a different registration result for a cancelled user-registration flow.

Scenario 1: Setup Assistant / preboot cancellation

1. Device registration succeeds during setup.
2. User registration starts.
3. The user closes/cancels the registration web auth UI.
4. Setup completes and the user reaches the desktop.
5. Two “registration required” notifications are posted a few seconds apart, before the user clicks anything.

In AppSSOAgent logs, we see two separate cycles like:

• resetRegistrationWithCompletion
• handleUserRegistrationForUser:repair:newPasswordUser:newSmartCardUser:notified:profile:
• Sending registration notification
• Adding notification request ...

then again roughly 10–12 seconds later, before any user action. In some runs, even if the user clicks the first notification and registration is already in progress, another notification still appears. If the first registration attempt does not complete successfully, registration does not finish and the user must click the second notification and repeat the registration flow. After acting on the second notification, registration may then succeed.

Scenario 2: login / repair window already open

In another run after logout/login, while the registration window is already open, AppSSOAgent posts another registration notification.

Additional detail:

In some runs, our extension logs show the web auth flow failing with:

• breaking calling recursion for caller with bundleIdentifier: ...
• no extension
• WebAuthenticationSession error 1

But the duplicate-notification behavior is specifically interesting when AppSSOAgent posts a second notification before any new desktop click/retry.

We also see AppSSOAgent logs such as:

• Removing 1 delivered notifications with identifiers (...)
• Removing 1 pending notification requests with identifiers (...)

which suggests the same Platform SSO registration notification can exist in both delivered and pending state before being reposted.

Questions

1. After a user cancels Platform SSO user registration UI during Setup Assistant, what is the expected ASAuthorizationProviderExtensionRegistrationResult the extension should return? (.failed, .userInterfaceRequired, something else?)
2. Is it expected for AppSSOAgent to run multiple resetRegistrationWithCompletion / handleUserRegistrationForUser... cycles for the same incomplete registration state and post duplicate registration notifications before any user action?
3. Is there any documented meaning for the retry timing gaps (for example ~3 seconds in some runs, ~11 seconds in others)?
4. If the registration UI is cancelled by the user, is there a recommended way for the extension to prevent AppSSOAgent from re-posting multiple notifications for the same unresolved registration state?

We want to understand whether the duplicate notifications are expected Apple-side Platform SSO behavior for incomplete registration, or whether the extension is expected to signal cancellation differently.