PingOne

Configuring PingID desktop app for Safari on macOS

This section documents the new PingID desktop application.

To enable a seamless, passwordless sign-on experience for macOS users authenticating, you need to deploy specific configuration profiles using a Mobile Device Management (MDM) solution.

This configuration uses the Apple Extensible SSO framework to enable passwordless sign-on using the PingID desktop app.

  • This integration provides a passwordless sign-on experience for users accessing protected resources from the Safari browser, as well as compatible native macOS applications.

  • The user must authenticate with their biometrics each time they sign on from Safari and compatible native macOS applications.

Required MDM configuration profiles

Deploy the following configuration profiles to the user’s device using your MDM solution.

  • SSO extension profile: Defines how macOS communicates with the PingID desktop SSO extension.

  • Associated domain profile: Enables Safari and the macOS operating system to securely recognize and interact with the SSO extension for the defined domains.

SSO extension profile

This profile identifies the PingID desktop SSO extension as the designated SSO handler for the listed URLs.

Key Value Description

ExtensionIdentifier

com.pingidentity.pingid.desktop.ssoe

The ExtensionIdentifier must match the PingID desktop SSO extension’s bundle identifier.

TeamIdentifier

6U3RF4C84N

The TeamIdentifier must match the Apple Team ID that signed the PingID desktop SSO extension. An incorrect value prevents the extension from loading.

Type

Redirect

Specifies that authentication requests should be redirected to the specified PingID endpoints.

URLs

Array of domains

Specifies the allowed public endpoints that trigger the SSO extension.
Example XML Payload Snippet (to implement in the MDM)
<dict>
    <key>ExtensionIdentifier</key>
    <string>com.pingidentity.pingid.desktop.ssoe</string>
    <key>TeamIdentifier</key>
    <string>6U3RF4C84N</string>
    <key>Type</key>
    <string>Redirect</string>
    <key>URLs</key>
    <array>
        <string>https://apps.pingone.com/pingid/desktop</string>
        <string>https://yourdomain.com/pingid/desktop</string>
    </array>
</dict>

Associated domain profile

The associated domain profile allows macOS and Safari to securely communicate with the SSO extension through defined domain associations. For a complete guide to configuring this profile, refer to the Apple Platform Deployment Guide.

Key Value Description

AssociatedDomains

Array of domains

Lists domains authorized for secure authentication services, using the authsrv: prefix.
Example XML Payload Snippet (for implementation in the MDM)
<dict>
    <key>AssociatedDomains</key>
    <array>
        <string>authsrv:apps.pingone.com</string>
        <string>authsrv:yourdomain.com</string>
    </array>
</dict>

Every <domain> entry listed in the URLs array of the SSO Extension Profile must have a corresponding entry in the AssociatedDomains array using the authsrv: prefix.

Mismatched or missing entries block the authentication redirection.

Establishing trust when using a custom domain

If you’re using a custom domain (for example, yourdomain.com), you’ll need to establish trust between your domain and the PingID desktop SSO extension. To do so, you must host an apple-app-site-association file in the domain’s /.well-known/ directory (for example, https://yourdomain.com/.well-known/apple-app-site-association). This file is required for your custom domain to function correctly when users sign on.

Learn more in Supporting Associated Domains in the Apple documentation.

Example apple-app-site-association File Payload
{
  "authsrv": {
    "apps": [
      "6U3RF4C84N.com.pingidentity.pingid.desktop"
    ]
  }
}

apple-app-site-association file parameters

Parameter Description

authsrv

Defines the authentication service configuration for the domain.

apps

Lists the authorized app identifiers that can use the associated domain for passwordless sign-on. This value is a combination of the PingID desktop app’s TeamID (6U3RF4C84N) and Bundle ID (com.pingidentity.pingid.desktop).

Configuration steps

  1. (Optional) If you’re using a custom domain, host the apple-app-site-association file in your domain’s /.well-known/ directory. You must complete this step before you deploy the MDM profiles to your user’s devices.

  2. In the MDM:

    1. Create the SSO extension profile using the XML snippet. Make sure that:

      • The ExtensionIdentifier and TeamIdentifier values match the PingID desktop SSO extension values.

      • You populate the URLs array with all required PingID endpoints, following the pattern <domain>/pingid/desktop.

    2. Create the Associated Domain Profile.

      • Make sure you include every domain listed in the URLs array from the SSO extension Profile in the AssociatedDomains array, using the required authsrv: prefix.

  3. Use your MDM to deploy the SSO extension profile and the associated domain profile to all target macOS devices.

  4. To test the configuration, from Safari, launch protected application or service to trigger the PingID passwordless sign-on flow.