Platform Single Sign-on for macOS
With Platform Single Sign-on (Platform SSO), developers can build SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider (IdP). The local account password is automatically kept in sync, so the cloud password and local passwords match. Users can also unlock their Mac with Touch ID and Apple Watch.
Platform SSO requires the following:
The Mac must have macOS 13 or later installed.
A mobile device management (MDM) solution that supports the Extensible Single Sign-on payload which includes support for Platform SSO
Support from the IdP for the Platform SSO authentication protocol
One of two supported authentication methods:
Authentication with a Secure Enclave–backed key: With this method, a user who logs in to their Mac can use a Secure Enclave–backed key to authenticate with the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process.
Password authentication: With this method, a user authenticates with a local password or an IdP password.
Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.
Platform SSO features
Feature | Minimum supported operating system | Description |
---|---|---|
Require authentication | macOS 15 | Requires IdP authentication across FileVault, the Lock Screen, and the login window. |
Require authentication | macOS 15 | Optionally configure offline and authentication grace period, so that users can log in or unlock the screen when they’re offline. |
Require authentication | macOS 15 | Optionally configure Touch ID or Apple Watch to unlock the screen. |
User enrollment and registration status in System Settings | macOS 14 | Users can register their device or their user account for use with SSO in System Settings. The menu item also displays the current registration status and indicates any errors that may have occurred, providing improved user transparency. This lets the user know if the registration needs to be completed again. |
Local account creation by users | macOS 14 | To facilitate account management in shared deployments, users can use their IdP user name and password or a smart card to log into a Mac with FileVault unlocked and create a local account. The new
|
Using nonlocal IdP user accounts at authorization prompts | macOS 14 | Platform SSO expands the use of IdP credentials to users who don’t have a local user account on the Mac for authorization purposes. These accounts use the same groups as Group management. For example, if the user is a member of one of the administrator groups, the account can be used at macOS administrator authorization prompts. This excludes any authorization prompts that require secure token, ownership permissions, or authentication by the currently logged in user. |
Updating group membership of users when they authenticate with their IdP | macOS 14 | Group membership can be used to granularly manage permissions of IdP users in macOS. Every time a user authenticates with the IdP, their group membership is updated. There are three array keys available to define group membership:
|
WS-Trust federation | macOS 13.3 | Allows Platform SSO to successfully authenticate users when their account is managed by an IdP federated with Microsoft Entra ID. |