Extensible Single Sign-On (Kerberos) (com.apple.extensiblesso)

com.apple.extensiblesso

The payload that configures an app extension that performs single sign-on with the Kerberos extension.

iOS(13.0)macOS(10.15)visionOS(1.1)
Branch: release

Settings (49)

SettingTypeRequiredDefaultManual InstallSupported OS
ExtensionIdentifier
ExtensionIdentifier
Set this to `com.apple.AppSSOKerberos.KerberosExtension` for this extension.
stringrequired
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
TeamIdentifier
TeamIdentifier
Set this to `apple` for this extension.
stringrequired
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
Type
Type
Set this to `Credential` for this extension.
stringrequired
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
Realm
Realm
The Kerberos realm. Use proper capitalization for this value. If in an Active Directory forest, this is the realm where the user logs in.
stringrequired
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
ExtensionData
ExtensionData
This is the dictionary used by the Apple built-in Kerberos extension.
38 subkeys
dictionaryoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
cacheName
cacheName
Deprecated (iOS 15.0, macOS 12.0)
The GSS name of the Kerberos cache to use. Rarely set by an administrator.
stringoptional
Yes
iOS (legacy - 15.0)macOS (legacy - 12.0)
└─
principalName
principalName
The principal (username) to use. You don't need to include the realm.
stringoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
siteCode
siteCode
The name of the Active Directory site the Kerberos extension should use. Most administrators don't need to modify this value, as the Kerberos extension can normally find the site automatically.
stringoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
certificateUUID
certificateUUID
The PayloadUUID of a PKINIT certificate.
stringoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
useSiteAutoDiscovery
useSiteAutoDiscovery
If `false`, the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name.
booleanoptionaltrue
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
credentialBundleIdACL
credentialBundleIdACL
A list of bundle IDs allowed to access the ticket-granting ticket (TGT).
1 subkey
arrayoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─ └─
credentialBundleIdACLItem
credentialBundleIdACLItem
Bundle IDs allowed to access the TGT. These values are case sensitive.
stringoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
includeManagedAppsInBundleIdACL
includeManagedAppsInBundleIdACL
If `true`, the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the `credentialBundleIDACL`, if you specify that value. Available in iOS 14 and later, and macOS 12 and later.
booleanoptionalfalse
Yes
iOS (14.0+)macOS (12.0+)
└─
includeKerberosAppsInBundleIdACL
includeKerberosAppsInBundleIdACL
If `true`, the Kerberos extension allows the standard Kerberos utilities including `TicketViewer` and `klist` to access and use the credential. This is in addition to `includeManagedAppsInBundleIdACL` or the `credentialBundleIdACL`, if you specify those values. Available in macOS 12 and later.
booleanoptionalfalse
Yes
macOS (12.0+)
└─
domainRealmMapping
domainRealmMapping
A custom domain-realm mapping for Kerberos. The system uses this when the DNS name of hosts doesn't match the realm name. Most administrators don't need to customize this.
1 subkey
dictionaryoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─ └─
Realm
Realm
The key should be the name of the realm, and the value is an array of DNS suffixes that map to the realm.
1 subkey
arrayoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─ └─ └─
RealmItem
RealmItem
Domains to map to the realm
stringoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
isDefaultRealm
isDefaultRealm
Specifies whether this is the default realm if there's more than one Kerberos extension configuration.
booleanoptionalfalse
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
customUsernameLabel
customUsernameLabel
The custom user name label used in the Kerberos extension instead of "Username," such as "Company ID". Available in macOS 11 and later.
stringoptional
Yes
iOS (14.0+)macOS (11.0+)
└─
helpText
helpText
The text to display to the user at the bottom of the Kerberos Login Window. You can also use this to display help information or disclaimer text. Available in iOS 14 and later, and macOS 11 and later.
stringoptional
Yes
iOS (14.0+)macOS (11.0+)
└─
allowPasswordChange
allowPasswordChange
If `false`, the system disables password changes. Available in macOS 10.15 and later.
booleanoptionaltrue
No
└─
allowAutomaticLogin
allowAutomaticLogin
If `false`, the system doesn't allow saving passwords in the keychain.
booleanoptionaltrue
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
requireUserPresence
requireUserPresence
If `true`, the system requires the user to provide Touch ID, Face ID or their passcode to access the keychain entry.
booleanoptionalfalse
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
pwExpireOverride
pwExpireOverride
Deprecated (macOS 12.0)
The number of days that the system allows using passwords on this domain. For most domains, this calculation is automatic. Available in macOS 10.15 and later.
integeroptional
Yes
macOS (legacy - 12.0)
└─
pwNotificationDays
pwNotificationDays
The number of days prior to password expiration when the system sends a notification of password expiration to the user. Available in macOS 10.15 and later.
integeroptional15
No
└─
pwReqLength
pwReqLength
The minimum length of passwords on the domain.Available in macOS 10.15 and later.
integeroptional
No
└─
pwReqComplexity
pwReqComplexity
If `true`, the system requires passwords to meet Active Directory's definition of "complex". Available in macOS 10.15 and later.
booleanoptionalfalse
No
└─
pwReqMinAge
pwReqMinAge
The minimum age of passwords before the system allows changing them on this domain. Available in macOS 10.15 and later.
integeroptional
No
└─
pwReqHistory
pwReqHistory
The number of prior passwords that the system disallows reuse on this domain. Available in macOS 10.15 and later.
integeroptional
No
└─
pwReqText
pwReqText
The text version of the domain's password requirements. Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. Available in macOS 10.15 and later.
stringoptional
No
└─
pwReqRTFData
pwReqRTFData
The RTF file formatted version of the domain's password requirements. Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. Available in macOS 15 and later.
dataoptional
Yes
macOS (15.0+)
└─
pwChangeURL
pwChangeURL
This URL will launch in the user's default web browser when they initiate a password change. Available in macOS 10.15 and later.
stringoptional
No
└─
syncLocalPassword
syncLocalPassword
If `false`, the system disables password sync. Note that this will not work if the user is logged in with a mobile account. Available in macOS 10.15 and later.
booleanoptionalfalse
No
└─
replicationTime
replicationTime
Deprecated (macOS 12.0)
The time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension uses this when checking password age after a change. Available in macOS 11 and later.
integeroptional900
Yes
macOS (11.0 - 12.0)
└─
delayUserSetup
delayUserSetup
If `true`, the system doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the `app-sso` tool or the system receives a Kerberos challenge. Available in macOS 11 and later.
booleanoptionalfalse
Yes
macOS (11.0+)
└─
monitorCredentialsCache
monitorCredentialsCache
If `false`, the system requests the credential on the next matching Kerberos challenge or network state change. If the credential is expired or missing, the system creates a new one. Available in macOS 11 and later.
booleanoptionaltrue
Yes
macOS (11.0+)
└─
requireTLSForLDAP
requireTLSForLDAP
Require that LDAP connections use TLS. Available in macOS 11 and later.
booleanoptionalfalse
Yes
iOS (14.0+)macOS (11.0+)
└─
credentialUseMode
credentialUseMode
This setting affects how other processes use the Kerberos Extension credential. Allowed values: - `always`: The system always uses the credential if the SPN matches the Kerberos Extension `Hosts` array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`. - `whenNotSpecified`: The system only uses the extension credential if the SPN matches the Kerberos Extension `Hosts` array. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`. - `kerberosDefault`: The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. Available in macOS 11 and later.
stringoptionalalways
Yes
iOS (14.0+)macOS (11.0+)
└─
preferredKDCs
preferredKDCs
The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a `krb5.conf` file, for example: - `adserver1.example.com` - `tcp/adserver1.example.com:88` - `kkdcp://kerberosproxy.example.com:443/kkdcp`
1 subkey
arrayoptional
Yes
iOS (15.0+)macOS (12.0+)
└─ └─
preferredKDC
preferredKDC
A host or domain name in the format of [protocol/]hostname[:port][/path]
stringrequired
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
usePlatformSSOTGT
usePlatformSSOTGT
If `true`, the system requires this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later.
booleanoptionalfalse
Yes
macOS (13.0+)
└─
allowPlatformSSOAuthFallback
allowPlatformSSOAuthFallback
If `true` and `usePlatformSSOTGT` is `true`, the system allows the user to manually sign in. Available in macOS 13 and later.
booleanoptionaltrue
Yes
macOS (13.0+)
└─
performKerberosOnly
performKerberosOnly
If `true`, the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. Available in macOS 13 and later.
booleanoptionalfalse
Yes
iOS (16.0+)macOS (13.0+)
└─
identityIssuerAutoSelectFilter
identityIssuerAutoSelectFilter
A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "\*My CA2\*". If there is one remaining, it will be auto-selected. If there more than one remaining, then the list is shorter. Available in macOS 15 and later.
stringoptional
Yes
macOS (15.0+)
└─
allowSmartCard
allowSmartCard
If `true`, allow the user to switch the user interface to SmartCard mode. Available in macOS 15 and later.
booleanoptionaltrue
Yes
macOS (15.0+)
└─
allowPassword
allowPassword
If `true`, allow the user to switch the user interface to Password mode. Available in macOS 15 and later.
booleanoptionaltrue
Yes
macOS (15.0+)
└─
startInSmartCardMode
startInSmartCardMode
If `true`, the user interface will start in SmartCard mode. Available in macOS 15 and later.
booleanoptionalfalse
Yes
macOS (15.0+)
Hosts
Hosts
One or more host or domain names for which the app extension performs SSO. The system: - Matches host or domain names case-insensitively - Requires that all the host and domain names of all installed Extensible SSO payloads are unique > Note: > Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match.
1 subkey
arrayoptional
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)
└─
hostname
hostname
A host or domain name. Values that begin with a "." will be used as domain names.
stringrequired
No
iOS (13.0+)macOS (10.15+)visionOS (1.1+)