The payload that configures an app extension that performs single sign-on (SSO).
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
ExtensionIdentifier ExtensionIdentifier The bundle identifier of the app extension that performs SSO for the specified URLs. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
TeamIdentifier TeamIdentifier The team identifier of the app extension. This key is required on macOS and ignored elsewhere. | string | optional | — | ✗No | |
Type Type The type of SSO. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
Realm Realm The realm name for `Credential` payloads. Use proper capitalization for this value. Ignored for `Redirect` payloads. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
ExtensionData ExtensionData A dictionary of arbitrary data passed through to the app extension. 1 subkey | dictionary | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ ANY ANY Keys and values to pass to the app extension. | any | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
URLs URLs An array of URL prefixes of identity providers where the app extension performs SSO.
Required for `Redirect` payloads. Ignored for `Credential` payloads.
The URLs need to begin with `http://` or `https://`.
The system:
- Matches scheme and host name case-insensitively
- Doesn't allow query parameters and URL fragments
- Requires that the URLs of all installed Extensible SSO payloads are unique 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ URL URL An http or https URL prefix. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
Hosts Hosts An array of host or domain names that apps can authenticate through the app extension.
Required for `Credential` payloads. Ignored for `Redirect` payloads.
The system:
- Matches host or domain names case-insensitively
- Requires that all the host and domain names of all installed Extensible SSO payloads are unique
> Note:
> Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ hostname hostname A host or domain name, with or without a leading dot. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
ScreenLockedBehavior ScreenLockedBehavior If set to `Cancel`, the system cancels authentication requests when the screen is locked. If set to `DoNotHandle`, the request continues without SSO instead. This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for background `URLSession` requests. Available in iOS 15 and later, and macOS 12 and later. | string | optional | Cancel | ✓Yes | iOS (15.0+)macOS (12.0+) |
DeniedBundleIdentifiers DeniedBundleIdentifiers An array of bundle identifiers of apps that don't use SSO provided by this extension. Available in iOS 15 and later, and macOS 12 and later. 1 subkey | array | optional | — | ✓Yes | iOS (15.0+)macOS (12.0+) |
└─ bundleIdentifier bundleIdentifier The bundle identifier of the app. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
AuthenticationMethod AuthenticationMethod Deprecated (macOS 14.0) The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. Available in macOS 13 and later, and deprecated in macOS 14. | string | optional | — | ✓Yes | macOS (13.0 - 14.0) |
RegistrationToken RegistrationToken The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that `AuthenticationMethod` in `PlatformSSO` isn't empty. Available in macOS 13 and later. | string | optional | — | ✓Yes | macOS (13.0+) |
PlatformSSO PlatformSSO The dictionary to configure Platform SSO. Requires `Type` to be set to `Redirect`. 27 subkeys | dictionary | optional | — | ✓Yes | macOS (14.0+) |
└─ AuthenticationMethod AuthenticationMethod The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ UseSharedDeviceKeys UseSharedDeviceKeys If `true`, the system uses the same signing and encryption keys for all users. Only supported on the device channel. | boolean | optional | false | ✗No | |
└─ AccountDisplayName AccountDisplayName The display name for the account in notifications and authentication requests. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ LoginFrequency LoginFrequency The duration, in seconds, until the system requires a full login instead of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour). Range: 3600 - | integer | optional | 64800 | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ EnableCreateUserAtLogin EnableCreateUserAtLogin Enables creating users at the Login Window with an `AuthenticationMethod` of either `Password` or `SmartCard`. Requires that `UseSharedDeviceKeys` is `true`. | boolean | optional | false | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ EnableCreateFirstUserDuringSetup EnableCreateFirstUserDuringSetup If `true`, the device uses Platform SSO to create the first user account on the Mac during `Setup Assistant`. | boolean | optional | true | ✓Yes | macOS (26.0+) |
└─ EnableAuthorization EnableAuthorization Enables using identity provider accounts at authorization prompts. Requires that `UseSharedDeviceKeys` is `true`. The system assigns groups using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. | boolean | optional | false | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ TokenToUserMapping TokenToUserMapping The attribute mapping to use when creating users, or for authorization. 2 subkeys | dictionary | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ AccountName AccountName The claim name to use for the user's account name. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ FullName FullName The claim name to use for the user's full name. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ NewUserAuthenticationMethods NewUserAuthenticationMethods The set of authentication methods to use for newly created accounts at login or during `Setup Assistant`. The system uses `Password` and `SmartCard` if this key isn't present. 1 subkey | array | optional | — | ✓Yes | macOS (26.0+) |
└─ └─ NewUserAuthenticationMethod NewUserAuthenticationMethod An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values:
- `Password`: The account uses a password for authentication.
- `SmartCard`: The account uses a smart card for authentication.
- `AccessKey`: The account uses an access key for authentication. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ NewUserAuthorizationMode NewUserAuthorizationMode The permission to apply to newly created accounts at login. Allowed values:
- `Standard`: The account is a standard user.
- `Admin`: The system adds the account to the local administrators group.
- `Groups`: The system assigns groups to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
- `Temporary`: The system uses a temporary session configuration for newly created accounts at login. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ UserAuthorizationMode UserAuthorizationMode The permission to apply to an account each time the user authenticates. Allowed values:
- `Standard`: The account is a standard user.
- `Admin`: The system adds the account to the local administrators group.
- `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ AdministratorGroups AdministratorGroups The list of groups to use for administrator access. The system requests membership during authentication. 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ Group Group The group name. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ AdditionalGroups AdditionalGroups The list of created groups that don't have administrator access. 1 subkey | array | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ Group Group The group name. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ AuthorizationGroups AuthorizationGroups The pairing of Authorization Rights to group names. When using this, the system updates the Authorization Right to use the group. 1 subkey | dictionary | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ └─ ANY ANY The key is an access right value, the value is the group to be associated with that access right. | string | optional | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ AccessKeyReaderGroupIdentifier AccessKeyReaderGroupIdentifier The reader group identifier for use with the `AccessKey`. The value needs to match the configured access key. Required if `NewUserAuthenticationMethods` contains `AccessKey`. | data | optional | — | ✓Yes | macOS (26.0+) |
└─ AccessKeyTerminalIdentityUUID AccessKeyTerminalIdentityUUID The `PayloadUUID` of an identity payload to use as the `Terminal` identity of the access key. The identity needs to be trusted by the access key. Required if `NewUserAuthenticationMethods` includes `AccessKey`. Allowed identity payload types:
- `com.apple.security.pkcs12`
- `com.apple.security.acme`
- `com.apple.security.scep` | string | optional | — | ✓Yes | macOS (26.0+) |
└─ AllowAccessKeyExpressMode AllowAccessKeyExpressMode If `true`, the system uses the access key in express mode, and doesn't require authentication before use. | boolean | optional | false | ✓Yes | macOS (26.0+) |
└─ FileVaultPolicy FileVaultPolicy The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. 1 subkey | array | optional | — | ✓Yes | macOS (15.0+) |
└─ └─ policy policy * AttemptAuthentication
Platform SSO authentication is attempted before proceeding. If offline, unlock will continue
if the local account password matches. If online and the credential is incorrect, then a
successful Platform SSO authentication is required to proceed, even if taken offline.
* RequireAuthentication
Platform SSO authentication is required before proceeding. If the device is offline and
`AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine
if the user can proceed or not. If online and the credential is incorrect, then a valid Platform
SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account
is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the
`AuthenticationGracePeriod` is used to determine if the user can proceed or not.
* AllowOfflineGracePeriod
Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If
`AllowOfflineGracePeriod` is not set, then offline access is denied.
* AllowAuthenticationGracePeriod
Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication`
is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If
`AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ LoginPolicy LoginPolicy The policy to apply when using Platform SSO at the Login Window. Applies when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. 1 subkey | array | optional | — | ✓Yes | macOS (15.0+) |
└─ └─ policy policy * AttemptAuthentication
Platform SSO authentication is attempted before proceeding. If offline, unlock will continue
if the local account password matches. If online and the credential is incorrect, then a
successful Platform SSO authentication is required to proceed, even if taken offline.
* RequireAuthentication
Platform SSO authentication is required before proceeding. If the device is offline and
`AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine
if the user can proceed or not. If online and the credential is incorrect, then a valid Platform
SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account
is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the
`AuthenticationGracePeriod` is used to determine if the user can proceed or not.
* AllowOfflineGracePeriod
Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If
`AllowOfflineGracePeriod` is not set, then offline access is denied.
* AllowAuthenticationGracePeriod
Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication`
is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If
`AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ UnlockPolicy UnlockPolicy The policy to apply when using Platform SSO at screensaver unlock. Applies when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. 1 subkey | array | optional | — | ✓Yes | macOS (15.0+) |
└─ └─ policy policy * AttemptAuthentication
Platform SSO authentication is attempted before proceeding. If offline, unlock will continue
if the local account password matches. If online and the credential is incorrect, then a
successful Platform SSO authentication is required to proceed, even if taken offline.
* RequireAuthentication
Platform SSO authentication is required before proceeding. If the device is offline and
`AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine
if the user can proceed or not. If online and the credential is incorrect, then a valid Platform
SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account
is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the
`AuthenticationGracePeriod` is used to determine if the user can proceed or not.
* AllowOfflineGracePeriod
Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If
`AllowOfflineGracePeriod` is not set, then offline access is denied.
* AllowAuthenticationGracePeriod
Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication`
is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If
`AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied.
* AllowTouchIDOrWatchForUnlock
Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when
`RequireAuthentication` is enabled. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ OfflineGracePeriod OfflineGracePeriod The amount of time after the last successful Platform SSO login for using a local account password offline. Required when setting `AllowOfflineGracePeriod`. Available in macOS 15 and later. | integer | optional | — | ✓Yes | macOS (15.0+) |
└─ AuthenticationGracePeriod AuthenticationGracePeriod The amount of time after receiving or updating a `FileVaultPolicy`, `LoginPolicy`, or `UnlockPolicy` that the system can use unregistered local accounts. Required when `AllowAuthenticationGracePeriod` is set. Available in macOS 15 and later. | integer | optional | — | ✓Yes | macOS (15.0+) |
└─ NonPlatformSSOAccounts NonPlatformSSOAccounts The list of local accounts that aren't subject to the `FileVaultPolicy`, `LoginPolicy`, or `UnlockPolicy`. The accounts don't receive a prompt to register for Platform SSO. Available in macOS 15 and later. 1 subkey | array | optional | — | ✓Yes | macOS (15.0+) |
└─ └─ username username A local account username. | string | required | — | ✗No | iOS (13.0+)macOS (10.15+)visionOS (1.1+) |
└─ AllowDeviceIdentifiersInAttestation AllowDeviceIdentifiersInAttestation If `true`, the system includes the device UDID and serial number in Platform SSO attestations. | boolean | optional | false | ✓Yes | macOS (15.4+) |
└─ SynchronizeProfilePicture SynchronizeProfilePicture If `true`, the system requests the user's profile picture from the SSO extension. | boolean | optional | false | ✓Yes | macOS (26.0+) |
└─ TemporarySessionQuickLogin TemporarySessionQuickLogin If `true`, the system uses a quicker Authenticated Guest Mode login to Mac behavior. The system erases user data from only select locations in the user home directory after each session completes. Once every eight hours the system erases the full user home directory after a session completes. Turn this on for shared environments that have a high frequency of short sessions. | boolean | optional | false | ✓Yes | macOS (26.0+) |
└─ EnableRegistrationDuringSetup EnableRegistrationDuringSetup If `true`, the system enables the PlatformSSO registration process during Setup Assistant on devices running macOS 26 and later. Set this key to `true` when configuring PlatformSSO before enrollment using the `com.apple.psso.required` error response. | boolean | optional | false | ✓Yes | macOS (26.0+) |
