Product Documentation

To create an iOS single sign-on (SSO) account profile

Mar 06, 2014

This policy allows you to create a single sign-on (SSO) account for iOS 7 users. SSO lets users sign on one time only to access XenMobile and your internal company resources from various apps. Users do not need to store any credentials on the device. The SSO Account enterprise user credentials can be used across apps, including apps from the App Store. This iOS 7 policy is designed to work with a Kerberos authentication back-end.

  1. In the Device Manager web console, on the Policies tab, under iOS, click Configurations.
  2. In the New Configuration menu, click Profiles and Settings > SSO Account.
  3. In the Create a SIngle Sign On Account dialog box, enter the attribute setting identifier (name) display name, company name, and an optional comment.
  4. Click the SSO tab and then enter the following information:
    1. Account Name. The name for the Kerberos SSO account as it will appear to the user.
    2. Kerberos Principal Name. The Kerberos principal name. If not entered here, the user will prompted for the name during profile installation. This entry must be provided in order for the policy to be applied.
    3. Kerberos Realm. The Kerberos realm name. This value should be properly capitalized.
  5. Next, click New Permitted URL and then enter the URLs you want to require SSO when a user visits the URL in Safari browser on the iOS device. For example, when a device user tries to browse to a site in Safari and the website throws a Kerberos challenge, if that site is not in the URL list, the iOS device does not attempt SSO by providing the Kerberos token it might have cached on the device from a previous Kerberos logon. The match has to be exact on the host part of the URL; for example: http://shopping.apple.com is OK, but http://*.apple.com is not. Also, if Kerberos is not activated based on host matching, it still falls back to a standard HTTP call. This could mean almost anything including a standard password challenge or an HTTP error if it's only configured for SSO using Kerberos.
  6. Next, click the App Identifiers tab and then enter all app identifiers that are allowed to use this login. If this field missing, this login matches all app identifiers.
  7. Click Create.