Configuring PingID desktop app for Safari on macOS
|
This section documents the new PingID desktop application.
|
To enable a seamless, passwordless sign-on experience for macOS users authenticating, you need to deploy specific configuration profiles using a Mobile Device Management (MDM) solution.
This configuration uses the Apple Extensible SSO framework to enable passwordless sign-on using the PingID desktop app.
-
This integration provides a passwordless sign-on experience for users accessing protected resources from the Safari browser, as well as compatible native macOS applications.
-
The user must authenticate with their biometrics each time they sign on from Safari and compatible native macOS applications.
Required MDM configuration profiles
Deploy the following configuration profiles to the user’s device using your MDM solution.
-
SSO extension profile: Defines how macOS communicates with the PingID desktop SSO extension.
-
Associated domain profile: Enables Safari and the macOS operating system to securely recognize and interact with the SSO extension for the defined domains.
SSO extension profile
This profile identifies the PingID desktop SSO extension as the designated SSO handler for the listed URLs.
| Key | Value | Description |
|---|---|---|
|
|
The |
|
|
The |
|
|
Specifies that authentication requests should be redirected to the specified PingID endpoints. |
|
Array of domains |
Specifies the allowed public endpoints that trigger the SSO extension. |
<dict>
<key>ExtensionIdentifier</key>
<string>com.pingidentity.pingid.desktop.ssoe</string>
<key>TeamIdentifier</key>
<string>6U3RF4C84N</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<string>https://apps.pingone.com/pingid/desktop</string>
<string>https://yourdomain.com/pingid/desktop</string>
</array>
</dict>
Associated domain profile
The associated domain profile allows macOS and Safari to securely communicate with the SSO extension through defined domain associations. For a complete guide to configuring this profile, refer to the Apple Platform Deployment Guide.
| Key | Value | Description |
|---|---|---|
|
Array of domains |
Lists domains authorized for secure authentication services, using the |
<dict>
<key>AssociatedDomains</key>
<array>
<string>authsrv:apps.pingone.com</string>
<string>authsrv:yourdomain.com</string>
</array>
</dict>
|
Every Mismatched or missing entries block the authentication redirection. |
Establishing trust when using a custom domain
If you’re using a custom domain (for example, yourdomain.com), you’ll need to establish trust between your domain and the PingID desktop SSO extension. To do so, you must host an apple-app-site-association file in the domain’s /.well-known/ directory (for example, https://yourdomain.com/.well-known/apple-app-site-association). This file is required for your custom domain to function correctly when users sign on.
Learn more in Supporting Associated Domains in the Apple documentation.
{
"authsrv": {
"apps": [
"6U3RF4C84N.com.pingidentity.pingid.desktop"
]
}
}
apple-app-site-association file parameters
| Parameter | Description |
|---|---|
|
Defines the authentication service configuration for the domain. |
|
Lists the authorized app identifiers that can use the associated domain for passwordless sign-on. This value is a combination of the PingID desktop app’s |
Configuration steps
-
(Optional) If you’re using a custom domain, host the
apple-app-site-associationfile in your domain’s/.well-known/directory. You must complete this step before you deploy the MDM profiles to your user’s devices. -
In the MDM:
-
Create the SSO extension profile using the XML snippet. Make sure that:
-
The
ExtensionIdentifierandTeamIdentifiervalues match the PingID desktop SSO extension values. -
You populate the
URLsarray with all required PingID endpoints, following the pattern<domain>/pingid/desktop.
-
-
Create the Associated Domain Profile.
-
Make sure you include every domain listed in the
URLsarray from the SSO extension Profile in theAssociatedDomainsarray, using the requiredauthsrv:prefix.
-
-
-
Use your MDM to deploy the SSO extension profile and the associated domain profile to all target macOS devices.
-
To test the configuration, from Safari, launch protected application or service to trigger the PingID passwordless sign-on flow.