---
title: Configuring PingID desktop app for Safari on macOS
description: This section documents the new PingID desktop application.
component: pingone
page_id: pingone:strong_authentication_mfa:p1_pid_desktop_app_v2_mac_sso_extension_integration
canonical_url: https://docs.pingidentity.com/pingone/strong_authentication_mfa/p1_pid_desktop_app_v2_mac_sso_extension_integration.html
section_ids:
required-mdm-configuration-profiles: Required MDM configuration profiles
sso-extension-profile: SSO extension profile
associated-domain-profile: Associated domain profile
establishing-trust-when-using-a-custom-domain: Establishing trust when using a custom domain
apple-app-site-association-file-parameters: apple-app-site-association file parameters
configuration-steps: Configuration steps
---
# Configuring PingID desktop app for Safari on macOS
| | |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| | This section documents the new PingID desktop application.- For the legacy PingID desktop application, go to [PingID desktop app (legacy)](p1_pid_desktop_app_v1.html).
- To understand the difference between the PingID desktop app and the PingID desktop app (Legacy), go to [PingID desktop app (workforce only)](p1_pid_desktop_app_version_overview.html). |
To enable a seamless, passwordless sign-on experience for macOS users authenticating, you need to deploy specific configuration profiles using a Mobile Device Management (MDM) solution.
This configuration uses the Apple Extensible SSO framework to enable passwordless sign-on using the PingID desktop app.
* This integration provides a passwordless sign-on experience for users accessing protected resources from the Safari browser, as well as compatible native macOS applications.
* The user must authenticate with their biometrics each time they sign on from Safari and compatible native macOS applications.
## Required MDM configuration profiles
Deploy the following configuration profiles to the user's device using your MDM solution.
* [SSO extension profile](#sso-extension-profile): Defines how macOS communicates with the PingID desktop SSO extension.
* [Associated domain profile](#associated-domain-profile): Enables Safari and the macOS operating system to securely recognize and interact with the SSO extension for the defined domains.
## SSO extension profile
This profile identifies the PingID desktop SSO extension as the designated SSO handler for the listed URLs.
| Key | Value | Description |
| --------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ExtensionIdentifier` | `com.pingidentity.pingid.desktop.ssoe` | The `ExtensionIdentifier` must match the PingID desktop SSO extension's bundle identifier. |
| `TeamIdentifier` | `6U3RF4C84N` | The `TeamIdentifier` must match the Apple Team ID that signed the PingID desktop SSO extension. An incorrect value prevents the extension from loading. |
| `Type` | `Redirect` | Specifies that authentication requests should be redirected to the specified PingID endpoints. |
| `URLs` | Array of domains | Specifies the allowed public endpoints that trigger the SSO extension. |
Example XML Payload Snippet (to implement in the MDM)
```xml
ExtensionIdentifier
com.pingidentity.pingid.desktop.ssoe
TeamIdentifier
6U3RF4C84N
Type
Redirect
URLs
https://apps.pingone.com/pingid/desktop
https://yourdomain.com/pingid/desktop
```
## Associated domain profile
The associated domain profile allows macOS and Safari to securely communicate with the SSO extension through defined domain associations. For a complete guide to configuring this profile, refer to the [Apple Platform Deployment Guide](https://support.apple.com/en-in/guide/deployment/dep76bf64513/web).
| Key | Value | Description |
| ------------------- | ---------------- | ----------------------------------------------------------------------------------------- |
| `AssociatedDomains` | Array of domains | Lists domains authorized for secure authentication services, using the `authsrv:` prefix. |
Example XML Payload Snippet (for implementation in the MDM)
```xml
AssociatedDomains
authsrv:apps.pingone.com
authsrv:yourdomain.com
```
| | |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | Every `` entry listed in the `URLs` array of the SSO Extension Profile must have a corresponding entry in the `AssociatedDomains` array using the `authsrv:` prefix.Mismatched or missing entries block the authentication redirection. |
## Establishing trust when using a custom domain
If you're using a custom domain (for example, `yourdomain.com`), you'll need to establish trust between your domain and the PingID desktop SSO extension. To do so, you must host an **`apple-app-site-association`** file in the domain's `/.well-known/` directory (for example, https\://yourdomain.com/.well-known/apple-app-site-association). This file is required for your custom domain to function correctly when users sign on.
Learn more in [Supporting Associated Domains](https://developer.apple.com/documentation/xcode/supporting-associated-domains) in the Apple documentation.
Example apple-app-site-association File Payload
```json
{
"authsrv": {
"apps": [
"6U3RF4C84N.com.pingidentity.pingid.desktop"
]
}
}
```
### `apple-app-site-association` file parameters
| Parameter | Description |
| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `authsrv` | Defines the authentication service configuration for the domain. |
| `apps` | Lists the authorized app identifiers that can use the associated domain for passwordless sign-on. This value is a combination of the PingID desktop app's `TeamID` (`6U3RF4C84N`) and `Bundle ID` (`com.pingidentity.pingid.desktop`). |
***
### Configuration steps
1. (Optional) If you're using a custom domain, host the **`apple-app-site-association`** file in your domain's `/.well-known/` directory. You must complete this step before you deploy the MDM profiles to your user's devices.
2. In the MDM:
1. Create the **SSO extension profile** using the [XML snippet](#xml-payload-snippet). Make sure that:
* The `ExtensionIdentifier` and `TeamIdentifier` values match the PingID desktop SSO extension values.
* You populate the `URLs` array with all required PingID endpoints, following the pattern `/pingid/desktop`.
2. Create the **Associated Domain Profile**.
* Make sure you include every domain listed in the `URLs` array from the SSO extension Profile in the `AssociatedDomains` array, using the required `authsrv:` prefix.
3. Use your MDM to deploy the SSO extension profile and the associated domain profile to all target macOS devices.
4. To test the configuration, from Safari, launch protected application or service to trigger the PingID passwordless sign-on flow.