Product Documentation

To create an iOS Single Sign On (SSO) Account profile

Nov 03, 2013

This policy allows you to create a single sign on account for your iOS 7 users so they only have to log in once in order access XenMobile and your internal company resources from various apps without the need to store any credentials on the device. This Single Sign-On (SSO) Account enterprise user credentials can be used across apps, including apps from the App Store. This iOS 7 policy is designed to work with a Kerberos authentication back-end.

  1. In the Device Manager web console, on the Policies tab under iOS, click Configurations.
  2. In the New Configuration menu, click Profiles and Settings > SSO Account.
  3. In the Create a SIngle Sign On Account dialog box, enter the attribute setting identifier (name) display name, company name, and an optional comment.
  4. Next, select the SSO tab and enter the following information:
    1. Account Name. The name for the Kerberos SSO account as it will appear to the user.
    2. Kerberos Principal Name. The Kerberos principal name. If not entered here, the user will prompted for one during profile installation. This entry must be provided in order for the policy to be installed.
    3. Kerberos Realm. The Kerberos realm name. This value should be properly capitalized.
  5. Next, click New Permitted URL and enter the URLs you want to require SSO sign on for when a user visits the URL in Safari browser on the iOS device. For example, when a device user tries to browse to a site in Safari and the website throws a Kerberos challenge, if that site is not in the URL list configured by the administrator, then iOS will not attempt SSO by providing the Kerberos token it might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL, for example: http://shopping.apple.com is OK, but http://*.apple.com is not. Also, if Kerberos is not activated based on host matching it still falls back to a standard HTTP call. This could mean almost anything including a standard password challenge or an HTTP error if it's only configured for SSO using Kerberos.
  6. Next, click the App Identifiers tab. Here, enter all app identifiers that are allowed to use this login. If this field missing, this login matches all app identifiers.
  7. Click Create.