To configure an application on device to perform single sign-on (SSO) with the Kerberos extension, configure the SSO Extension profile. With the SSO Extension profile, users do not have to provide their user name and password to access specific URLs. This profile is applicable only to iOS 13 and later devices.


  1. Navigate to Devices > Profiles & Resources > Profiles and select Add > Apple iOS.
  2. Configure the profile's General settings.
  3. Select the SSO Extension payload.
  4. Configure the profile settings.
    Setting Description
    Extension Type Select the type of the SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs SSO for the specified URLs in the Extension Identifier field. If Kerberos is selected, provide the Active Directory Realm and Domains.
    Type Select either Credential or Redirect as extension type. Credentials extension is used for the challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML authentication.
    Team Identifier Enter the Team Identifier of the application extension that performs SSO for the specified URLs.
    URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO.
    Additional Settings Enter additional settings for the profile in XML code which is added to the ExtensionData node.
    Active Directory Realm This option appears only if Kerberos is selected as the Extension Type. Enter the name for the Kerberos Realm.
    Domains Enter the host names or the domain names which can be authenticated through the application extension.
    Use Site Auto-Discovery Enable the option to make the Kerberos extension to automatically use LDAP and DNS to determine the Active Directory site name.
    Allow Automatic Login Enable the option to allow passwords to be saved to the keychain.
    Require User Touch ID or Password Enable the option to allow the user to provide Touch ID, FaceID, or passcode to access the keychain entry.
    Certificate Select the certificate to push down to the device which is in the same MDM profile.
    Allowed Bundle IDs Enter a list of application bundle IDs to allow access to the Kerberos Ticket Granting Ticket (TGT).
  5. Select Save and Publish.