---
title: Configuring Platform SSO for macOS (Workforce only)
description: How to configure macOS Platform SSO in a Workforce environment with PingFederate, including MDM profiles, PingOne connection, and PingFederate steps.
component: pingone
page_id: pingone:strong_authentication_mfa:p1_pid_psso_macos_config
canonical_url: https://docs.pingidentity.com/pingone/strong_authentication_mfa/p1_pid_psso_macos_config.html
llms_txt: https://docs.pingidentity.com/pingone/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: June 30, 2026
section_ids:
  whats-involved: What's involved
  before-you-begin: 1. Requirements and important information
  requirements: Requirements
  limitations-and-important-information: Limitations and important information
  configure-pingfederate: 2. Configuring a Ping Identity IdP (PingFederate)
  configuring-a-pingone-connection: Configuring a PingOne connection
  importing-the-apple-enterprise-attestation-root-ca: Importing the Apple Enterprise Attestation Root CA
  adding-the-platform-sso-scope: Adding the Platform SSO scope
  data-store: Adding a data store
  creating-a-password-credential-validator-pcv: Creating a Password Credential Validator (PCV)
  atm: Configuring an access token management instance
  oidc-policy-creation: Creating an OpenID Connect policy
  configure-oauth-client: Configuring an OAuth client for Platform SSO
  configure-platform-sso-adapter: Configuring the Mac Platform SSO adapter
  configuring-the-mac-platform-sso-jwt-bearer-grant-processor: Configuring the Mac Platform SSO JWT Bearer Grant Processor
  configuring-an-idp-connection-for-platform-sso: Configuring an IdP connection for Platform SSO
  oauth-client-set-selector: Configuring an OAuth client set authentication selector
  adding-the-mac-platform-sso-adapter-to-an-authentication-policy: Adding the Mac Platform SSO adapter to an authentication policy
  example: Example
  next-steps-in-pingfederate: Next steps in PingFederate
  configure-mdm-profiles: 3. Configuring macOS MDM profiles
  sso-extension-payload: "Payload 1: Extensible SSO (com.apple.extensiblesso)"
  core-extension-settings: Core extension settings
  extensiondata-settings: ExtensionData settings
  optional-automated-device-enrollment-ade: (Optional) Automated Device Enrollment (ADE)
  associated-domains-payload: "Payload 2: Associated Domains (com.apple.developer.associated-domains)"
  verifying-the-deployment: Verifying the deployment
  device-and-user-registration: Device and user registration
  sso-behavior: SSO behavior
  user-experience: User experience
---

# Configuring Platform SSO for macOS (Workforce only)

macOS Platform single sign-on (PSSO) integrates a user's local Mac login session with a Ping Identity IdP, automatically extending authentication to browser-based and native applications so users don't have to sign on separately to each app.

macOS Platform SSO leverages Apple's Authentication Services framework as a native OS-level SSO mechanism and requires Apple Silicon hardware. Secure Enclave authentication stores credentials in hardware rather than software. This reduces the risk of credential theft, while enabling phishing-resistant authentication and supporting your organization's security and compliance requirements.

|   |                                                                                                                                                                                                                                                                                                                                           |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | * PingFederate is currently the only supported identity provider (IdP) for this integration.

* If you only need to extend SSO sessions within the Safari browser rather than at the native operating system level, go to [Configuring PingID desktop app for Safari on macOS](p1_pid_desktop_app_v2_mac_sso_extension_integration.html). |

## What's involved

Setting this up requires configuring three components: your MDM system (to push Platform SSO settings to managed Macs), a workforce PingOne environment (to connect PingFederate), and PingFederate itself.

| Step                                                         | What you do                                                                                                     | Who does it                |
| ------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------- | -------------------------- |
| [1. Review requirements](#before-you-begin)                  | Review device, software, and enrollment requirements and limitations.                                           | MDM administrator          |
| [2. Configuring PingFederate](#configure-pingfederate)       | Configure the PingFederate side of the Platform SSO connection, including connecting PingOne with PingFederate. | PingFederate administrator |
| [3. Configuring macOS MDM profiles](#configure-mdm-profiles) | Push the required MDM configuration profiles to devices.                                                        | MDM administrator          |

## 1. Requirements and important information

### Requirements

Confirm the following requirements before you start:

| Requirement              | Details                                                                                                                                                               |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| macOS version            | 15.4 Sequoia or later                                                                                                                                                 |
| Hardware                 | Apple Silicon Mac (requires Secure Enclave for key operations).                                                                                                       |
| PingID desktop app       | PingID desktop app 2.0 or later. Download the latest version [here](https://www.pingidentity.com/en/resources/downloads/pingid.html).                                 |
| PingOne for Workforce    | PingOne for Workforce license                                                                                                                                         |
| PingFederate             | Requires PingFederate 13.1 or later.                                                                                                                                  |
| Mac Platform SSO Adapter | 1.0 or later                                                                                                                                                          |
| MDM solution             | Device enrollment in a mobile device management (MDM) solution. Mac Platform SSO supports the use of any MDM vendor that implements the Apple Platform SSO protocols. |

### Limitations and important information

Be aware of the following known limitations and configuration requirements when configuring Platform SSO for macOS:

* **PingFederate Base URL format**: The PingFederate **Base URL** must not include a port number. Verify this in PingFederate under **System** > **Server** > **Federation Info**.

* **Token and user mapping names**: The claim names you define in the [OIDC policy](#oidc-policy-creation) (for example, `preferred_username`, `name`) must exactly match the `TokenToUserMapping` values in your [MDM payload](#configure-mdm-profiles). Any mismatch silently breaks the user mapping.

* **Authentication policy order**: The Mac Platform SSO adapter must be the first adapter step in your PingFederate authentication policy. Any adapter preceding it (for example, a Reference ID Adapter) prevents Platform SSO from functioning.

* **Associated domains format**: Each entry in the `AssociatedDomains` array must use the `authsrv:` prefix followed by the host domain only — no `https://`, no trailing slash, no port. For example: `authsrv:pf.example.com`. Learn more in [MDM payload 2](#associated-domains-payload).

* **Browser SSO and cookies**: When the SSO extension intercepts a browser authorization request, the browser doesn't send cookies in the request header as it would when calling the server directly. This prevents PingFederate from resuming state using cookie-based values.

## 2. Configuring a Ping Identity IdP (PingFederate)

Platform SSO requires a Ping Identity IdP to handle several new capabilities: issuing nonces, validating Apple device attestation, storing registration data in a PingOne workforce environment, processing the JSON Web Token (JWT) bearer grants that Platform SSO clients send during login, and configuring an authentication policy to make use of the Platform SSO session. The steps in this section describe how to configure each of these capabilities.

### Configuring a PingOne connection

PingFederate uses PingOne to store the device and user registration data that Platform SSO flows create. You must set up the connection between the two products before you configure PingFederate. This generates the credentials you'll need in the next step.

* To connect PingFederate to PingOne, follow the steps in [Connecting PingFederate to PingOne](https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf_p1_mfa_ik_connecting_pf_to_p1.html).

### Importing the Apple Enterprise Attestation Root CA

The Platform SSO adapter validates Apple-signed attestation data that devices send during registration. You must therefore import the root certificate issued by Apple Enterprise Attestation Root certificate authority (CA) before configuring the Platform SSO adapter.

1. Go to [Apple PKI](https://www.apple.com/certificateauthority/private/).

2. Right-click **Apple Enterprise Attestation Root CA** and select **Save Link As**.

3. Save the file and confirm it has a `.pem` extension.

4. In the PingFederate admin console, go to **Security > Certificate & Key Management > Trusted CAs**.

5. Click **Import** and select the `.pem` file you downloaded.

6. Click **Next**, then click **Save**.

Learn more in [Manage trusted certificate authorities](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_certmanagementtasklet_trustedcas_certmanagementstate.html).

### Adding the Platform SSO scope

The `urn:apple:platformsso` scope identifies requests from the Platform SSO flow. Adding it as an exclusive scope means only the OAuth clients you configure for Platform SSO can use it.

1. In the PingFederate admin console, go to **System > OAuth Settings > Scope Management**.

2. Select the **Exclusive Scopes** tab and then click **Add Exclusive Scope**.

3. Enter the following values:

   | Field       | Value                      |
   | ----------- | -------------------------- |
   | Name        | `urn:apple:platformsso`    |
   | Description | `Apple Platform SSO scope` |
   | Dynamic     | Leave unchecked            |

4. Click **Save**.

Learn more in [Scopes and scope management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_scopes_and_scope_management.html).

### Adding a data store

PingFederate requires a data store to verify user credentials through the Password Credential Validator (PCV), and to retrieve user attributes (such as `username` and `preferred_username`) for the ID token during token contract fulfillment. Mapping these local attributes ensures they are available for selection when [configuring the OIDC policy](#oidc-policy-creation).

You can add any supported enterprise directory. The following steps use a PingOne data store as the example repository.

|   |                                                                                                                                                                                                                                |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Regardless of where your primary user attributes are stored, PingOne always acts as the system of record for the underlying cryptographic identity data that macOS Platform SSO generates during device and user registration. |

1. In the PingFederate admin console, go to **System** > **Data Stores**, and click **Add New Data Store**.

2. In the **Type** list, select **PingOne Data Store**.

3. Create and map the following attributes:

   | Local Attribute      | PingOne Attribute     |
   | -------------------- | --------------------- |
   | `first_name`         | `/name/given`         |
   | `last_name`          | `/name/family`        |
   | `email`              | `/email`              |
   | `username`           | `/username`           |
   | `preferred_username` | `/preferred_username` |

4. In the **PingOne Environment** field, select the PingOne environment name, and then click **Save**.

### Creating a Password Credential Validator (PCV)

PingFederate requires a Password Credential Validator (PCV) to verify user credentials against the backend directory where your user accounts reside.

You can configure the PCV to connect to any supported enterprise directory. The following steps use a PingOne data store as the example repository.

1. In the PingFederate admin console, go to **System** > **Data Stores** > **Password Credential Validators**, and click **Create New Instance**.

2. Enter an **Instance Name** and **Instance ID**.

3. In the **Type** field, select **PingOne Credential Validator**, and click **Next**.

4. Select the [data store](#data-store) you created in the previous step.

5. Click **Next**, and **Save**.

### Configuring an access token management instance

The access token management (ATM) instance defines how PingFederate structures and signs tokens throughout the Platform SSO flow. The adapter uses this instance to validate access tokens during registration; the identity provider (IdP) connection uses it to issue tokens during login. The client, adapter, and IdP connection must all reference the same ATM instance.

1. In the PingFederate admin console, go to **Applications > Access Token Management**.

2. Click **Create New Instance**.

3. In the **Type** list, select **JSON Web Tokens** and then click **Next**.

4. Select the **Use Centralized Signing Key** checkbox.

5. In the **JWS Algorithm** list, select **RSA using SHA-256**.

6. Select **Show Advanced Fields**, enter the following claim values, and then click **Next**:

   | Field                      | Value                                                                                                                                 |
   | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
   | Client ID Claim Name       | `client_id`                                                                                                                           |
   | Scope Claim Name           | `scope`                                                                                                                               |
   | Space Delimit Scope Values | Deselect the checkbox.                                                                                                                |
   | Issuer Claim Value         | Your PingFederate instance URL, for example: `https://pf.example.com`                                                                 |
   | Audience Claim Value       | The OAuth **Client ID** as configured in [the OAuth client](#configure-oauth-client). You'll create this client in a subsequent step. |

7. In the **Access Token Attribute Contract** tab, use the **Extend the Contract** field and the **Add** button to add the `sub` attribute.

8. Click **Save**.

   Learn more in [Configuring an access token management instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_access_token_management_instance.html).

### Creating an OpenID Connect policy

The OpenID Connect (OIDC) policy defines the specific user attributes ("claims") that the ID token returns. You'll need to map the user's profile data to the following standard claims:

* `preferred_username`: The user sign-on ID.

* `name`: The user's full name.

|   |                                                                                                                                                                                                                                               |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Although it's possible to use custom claim names, the strings you define in this section must match the `TokenToUserMapping` values defined in the MDM payload exactly. Learn more in [configuring the MDM profile](#configure-mdm-profiles). |

1. In the PingFederate admin console, go to **Applications** > **OAuth** > **OpenID Connect Policy Management**, and click **Add Policy**.

2. Enter a Policy ID and name for the policy.

3. In the **Access Token Manager** field, select the [ATM](#atm) that you created earlier.

4. Select the checkbox for the following options, and then click **Next**:

   * **Include User Info in ID Token**.

   * **Return ID Token on Refresh Grant**.

5. In the **Attribute Contract** tab, make sure the following attributes are included, and then click **Next**:

   * `sub`

   * `name`

   * `preferred_username`

6. In the **Attribute Scopes** tab **Scope** list:

   1. In the **OAuth Exclusive Scopes** select the `urn:apple:platformsso` scope.

   2. Select the checkbox for the `name` and `preferred_username` attributes, click **Add**, and then click **Next**.

7. In the **Attribute Sources & User Lookup** tab, select **Add Attribute Source**.

   * In the **Attribute Source ID** field, enter `user_directory`, and in the **Attribute Source Description** field, enter **PingOne Datastore**.

   * In the **Active Data Source** list select the **PingOne Data Source** that you created earlier.

   * In the **Configure Data Source Filters**:

     * **Attribute**: `username`

     * **Value**: `${sub}`

8. In the **Contract Fulfillment** tab, select the following options:

   | Attribute Contract   | Source              | Value                                                                                                                                                                                                                                                                               |
   | -------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | `sub`                | `Access token`      | `sub`                                                                                                                                                                                                                                                                               |
   | `preferred_username` | `PingOne Datastore` | `preferred_username`                                                                                                                                                                                                                                                                |
   | `name`               | `Expression`        | `#val = #this.get("ds.user_directory.first_name") + " " + #this.get("ds.user_directory.last_name")`. NOTE: This expression constructs the user's full name by concatenating the first\_name and last\_name attributes from the user\_directory source defined in the previous step. |

9. Click **Save**.

### Configuring an OAuth client for Platform SSO

The OAuth client represents the PingID desktop app in PingFederate. During device registration, it handles the initial OpenID Connect (OIDC) flow and subsequent token refresh. When the user signs on, it processes the JWT bearer grant that the PingID desktop app uses to establish the Platform SSO session.

|   |                                                                  |
| - | ---------------------------------------------------------------- |
|   | You must create a **new** OIDC client for use with Platform SSO. |

1. In the PingFederate admin console, go to **Applications** > **OAuth Clients** and click **+ Add Client**.

2. Enter an OAuth **Client ID** and **Name**.

3. In the **Client Authentication** field, select **None**.

4. In the **Grant Types** section, enable the following grant types:

   * **Authorization Code**

   * **Refresh Token**

   * **Assertion Grants**

5. In the **OAuth Settings** section, do the following:

   * Select **Allow Exclusive Scopes** and then select the `urn:apple:platformsso` scope.

   * In the **ID Token Signing Algorithm** field, select one of the following options:

     * **RSA using SHA-256** (`RS256`)

     * **RSA using SHA-384** (`RS384`)

     * **RSA using SHA-512** (`RS512`)

     * **RSASSA-PSS using SHA-256** (`PS256`)

     * **RSASSA-PSS using SHA-384** (`PS384`)

     * **RSASSA-PSS using SHA-512** (`PS512`)

     * **ECDSA using P256 Curve and SHA-256** (`ES256`)

     * **ECDSA using P384 Curve and SHA-384** (`ES384`)

     * **ECDSA using P521 Curve and SHA-512** (`ES512`)

   * In the **OpenID Connect Policy** field, select the OpenID Connect policy you created in the previous section.

   * In the **Redirect URIs** field, enter `pingid-desktop://callback`.

   * In **Advanced Settings**, select **Require Proof Key For Code Exchange (PKCE)**.

6. In the **Token Manager, Grant, Session Settings** section, enter the following information. The details here must match the ATM you configured earlier.

   * **Default Access Token Manager**: Select the ATM you configured earlier.

   |   |                                                                                                                                                                               |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The client must support a full OIDC flow and issue both an access token and an ID token. The access token's `sub` claim must match the ID token's `preferred_username` claim. |

7. Save the changes.

Learn more in [Configuring OAuth clients](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oauth_clients.html).

### Configuring the Mac Platform SSO adapter

The Platform SSO adapter handles device and user registration, as well as nonce issuance and validation. It serves the registration endpoints that the PingID desktop app calls, validates attestation data from devices, and stores registration information in PingOne. It also validates the Mac's Platform SSO session, using it to sign in to native and web apps.

1. In the PingFederate admin console, go to **Authentication > IdP Adapters**.

2. Click **Create New Instance**.

3. On the **Type** tab:

   1. Enter an **Instance Name** and **Instance ID** of your choice.

   2. In the **Type** list, select **Mac Platform SSO Adapter**, and click **Next**.

4. On the **IdP Adapter** tab:

   1. (Optional) In the **Scopes** area, click **Add a new row to 'Required Bearer Access Token Scopes'** to enter any additional scopes that must be included in the access token during registration.

      |   |                                                                                                                                                                                                                                                                                  |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | * All the scopes listed in the scopes area must be present in the access token presented during registration. If any scopes are missing, the registration request will fail.

      * The `urn:apple:platformsso` scope is always required by the adapter, even if not specified here. |

   2. Select the PingOne environment you connected to PingFederate.

   3. Select the Apple Enterprise Attestation Root CA you imported earlier.

   4. In the **Access Token Manager** list, select the ATM instance you configured.

   5. In the **Client ID of the PingID desktop app** field, enter the client ID.

   6. If you're using **Automated Device Enrollment (ADE)**, select **Show Advanced Fields** and in the **Password Credential Validator** (PCV) field, select the PCV you want to use during the Mac's setup process.

5. (Optional) To enable device enrollment without a user needing to enter a username and password, generate and enter a **Device Registration Token**:

   |   |                                                                                                                                                                                                           |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | * The registration token enables device registration with the IdP without requiring the user to enter their IdP credentials.

   * Save the token that's generated in PingFederate, as it only appears once. |

   1. To generate a token, on the **Actions** tab, click **Generate Device Registration Token**.

   2. Copy the generated **Result Value**.

   3. Click **Previous** and on the **IdP Adapter** tab click **Advanced Fields** and enter the registration token into the **Device Registration Token** field.

   4. Save the registration token as you'll need to enter it in the `registrationToken` field as part of the Extensible SSO payload in the MDM. Learn more in [configuring MDM profiles](#configure-mdm-profiles).

6. On the **Extended Contract** tab, click **Next**.

7. On the **Adapter Attributes** tab, select the **Pseudonym** checkbox next to **Username**, then click **Next**.

8. On the **Adapter Contract Mapping** tab, click **Next**.

9. On the **Summary** tab, note the **Register Device Endpoint**, **Register User Endpoint**, and **Nonce User Endpoint** values. You'll need these when configuring the PingID desktop app.

   |   |                                                                                                                                                                                                                                                                                                                                                      |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | These endpoints are used by the PingID desktop app to communicate with PingFederate. Make sure the **Base URL** provided in your MDM configuration matches the base URL defined here (learn more in [configuring macOS MDM profiles](#configure-mdm-profiles)). The PingID desktop app automatically discovers the full paths based on the Base URL. |

10. Click **Save**.

Learn more in [Managing IdP adapters](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_managing_idp_adapters.html).

### Configuring the Mac Platform SSO JWT Bearer Grant Processor

During Platform SSO login, the PingID desktop app sends a signed JWT to PingFederate's token endpoint using the JWT bearer grant type. The Mac Platform SSO JWT Bearer Grant Processor validates that JWT, confirming the user and device are registered and the signatures are correct.

1. In the PingFederate admin console, go to **Authentication > OAuth > JWT Bearer Grant Processors**.

2. Click **Create New Instance** and enter an **Instance Name** and **Instance ID**.

3. In the **Type** list, select **Mac Platform SSO JWT Bearer Grant Processor**.

4. Select the Platform SSO adapter you configured earlier, and then click **Save**.

Learn more in [JWT bearer grant processors](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_jwt_bearer_grant_processors.html).

### Configuring an IdP connection for Platform SSO

The IdP connection ties JWT bearer grant processing to PingFederate's token endpoint. When the PingID desktop app sends a Platform SSO login request, PingFederate uses this connection to process the JWT, retrieve the user's registered keys from PingOne, and issue the ID token and refresh token that macOS stores in the Secure Enclave.

1. In the PingFederate admin console, go to **Authentication > IdP Connections**.

2. Click **Create Connection**.

3. In the **Type** list, select **JWT Bearer Grant Processor**.

4. Select the JWT Bearer Grant Processor instance you configured earlier, and click **Next**.

5. In the **General Info** tab, enter the **Partner's Entity ID (Connection ID)** and **Connection Name**.

   |   |                                                                                                                                        |
   | - | -------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The connection's **Partner's Entity ID (Connection ID)** must match the client ID of the OAuth client you configured for Platform SSO. |

   Learn more in [Identifying the partners](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_idpconnectionconfigtasklet_generalinfostate.html).

6. In the **JWT Bearer Grant Processor Attribute Mapping** tab, select **Configure JWT Bearer Grant Processor Attribute Mapping**.

   1. In the **Attribute Contract** tab, use the **Extend the Contract** field and the **Add** button to add relevant attributes.

   2. In the **Access Token Manager Mapping** tab, click **Create New Access Token Manager Mapping** and select the ATM that you created earlier.

      |   |                                                                                                                                                    |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | The IdP connection must reference the same ATM instance as the OAuth client for Platform SSO, and the Platform SSO adapter you configured earlier. |

7. Click **Save**.

Learn more in [Managing IdP connections](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_manag_idp_connect.html).

### Configuring an OAuth client set authentication selector

Create an OAuth client set authentication selector. The selector identifies requests from the PingID desktop app by matching its Client ID in the authentication policy.

1. In the PingFederate admin console, go to **Authentication** > **Policies** > **Selectors**, and click **Create New Instance**.

2. Enter an **Instance Name** and **Instance ID**, and in the **Type** field, select **OAuth Client Set Authentication Selector**, and then click **Next**.

3. In the **Authentication Selector** tab, click **Add a new row to 'Clients'**.

4. In the **Client ID** field, select the [OAuth client](#configure-oauth-client) you created earlier, click **Update** and then click **Save**.

### Adding the Mac Platform SSO adapter to an authentication policy

|   |                                                                                                                                                                                                    |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The Mac Platform SSO must be the first adapter step in your PingFederate authentication policy. If another adapter (for example, a Reference ID Adapter) precedes it, Platform SSO won't function. |

Adding the Platform SSO adapter to an authentication policy is the final Platform SSO-specific step.

The following example shows the policy using the OAuth client set selector to distinguish between the initial device setup traffic and regular SSO traffic. Requests coming directly from the PingID desktop app (which only occurs during initial registration or key repair) bypass the Platform SSO adapter and flow straight to an interactive sign-on form. Standard application traffic is routed to the Platform SSO adapter first, with a fallback to the login form if a valid platform session does not exist.

1. In the PingFederate admin console, go to **Authentication** > **Policies** > **Policies**.

2. Make sure the **IdP Authentication Policies** checkbox is selected.

3. Click **Add Policy**, or select the policy you want to edit.

4. Enter a **Name** and **Description** for the policy.

5. In the **Policy** list, select **Selectors** and choose the [OAuth Client Set Authentication selector](#oauth-client-set-selector) you configured in the previous section.

6. In the **Policy** tree **Yes** branch:

   1. Select **IdP Adapters** and select the standard interactive login form adapter (for example, **CIAM Html**) to force form-based credential entry.

   2. In the adapter's **Success** path select **Policy Contracts** and select the target policy contract, and configure the **Fail** path to **Done**.

7. Configure the **No** branch:

   1. Select **IdP Adapters** and then select your [Mac Platform SSO Adapter instance](#configure-platform-sso-adapter).

   2. In the Platform SSO adapter's **Success** path, select **Policy Contracts** and select the target policy contract.

   3. In the Platform SSO adapter's **Fail** path select **IdP Adapters**, and choose the interactive login form adapter to act as the password fallback mechanism.

   4. In the fallback form adapter's **Success** path, select **Policy Contracts** and select your target policy contract.

   5. Configure the fallback form adapter's **Fail** path to **Done**.

8. Complete the contract fulfillment mappings for all designated success paths, and then click **Save**.

#### Example

![image showing an example policy tree for Mac Platform SSO](_images/mac-platform-sso-authentication-policy.png)

Learn more in [Authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_authentication_policies.html).

### Next steps in PingFederate

For your users to access their apps using Platform SSO, complete the following tasks in PingFederate:

* **Configure a policy contract grant mapping**: To enable PingFederate to issue OAuth tokens, connect the authentication policy contract to the Access Token Management (ATM) instance.

  Learn more in [Managing authentication policy contract grant mapping](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_oauthsource2targetmappingtasklet_oauthapc2targetmappingsstate.html).

* **Configure a default access token mapping**: Map attributes from the policy contract into the access token so PingFederate can populate tokens at issuance.

  Learn more in [Configuring access token mapping](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configure_access_token_mapping.html).

* **Configure an SP connection for Platform SSO apps**: To provide PSSO-based access, each app must have an SP connection in PingFederate that references the same policy contract you configured in the authentication policy.

  Learn more in [SP connection management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_sp_connect_management.html).

## 3. Configuring macOS MDM profiles

You deploy macOS Platform SSO by installing the PingID desktop app and pushing a configuration profile to your Mac devices. The configuration relies on two Apple MDM payloads working together:

* **Extensible SSO payload**: registers the PingID desktop app's Platform SSO extension with macOS and provides it with the OIDC values it needs to connect to the Ping Identity IdP.

* **Associated Domains payload**: authorizes macOS to route authentication requests to the SSO extension.

  1. Sign on to your MDM portal and create a new device configuration profile.

  2. Configure [payload 1](#sso-extension-payload) and [payload 2](#associated-domains-payload).

  3. Assign the profile to your target Mac devices.

|   |                                                                                                                                                                                                                                                                                        |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | - The values shown in this section are recommended defaults. Your MDM system may present these settings through a UI form rather than requiring you to enter raw XML directly.

- The MDM attributes naming conventions listed here might vary slightly between different MDM vendors. |

### Payload 1: Extensible SSO (`com.apple.extensiblesso`)

This payload registers the Platform SSO extension with macOS, enables Secure Enclave authentication, and passes the Ping Identity IdP configuration to the PingID desktop app.

#### Core extension settings

| Key                                   | Data type               | Value                                      | Description                                                                                                                                                                                                                                                                  |
| ------------------------------------- | ----------------------- | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `PayloadType`                         | `<string>`              | `com.apple.extensiblesso`                  | Specifies the payload type for the SSO extension.                                                                                                                                                                                                                            |
| `ExtensionIdentifier`                 | `<string>`              | `com.pingidentity.pingid.desktop.pingssoe` | The bundle identifier of the Platform SSO extension. Must match exactly.                                                                                                                                                                                                     |
| `TeamIdentifier`                      | `<string>`              | `6U3RF4C84N`                               | The Apple Developer Team ID that signed the extension. An incorrect value prevents the extension from loading.                                                                                                                                                               |
| `AuthenticationMethod`                | `<string>`              | `UserSecureEnclaveKey`                     | The authentication method. Set to `UserSecureEnclaveKey` to use Secure Enclave-backed keys.                                                                                                                                                                                  |
| `URLs`                                | `<array>` of `<string>` | Array of URLs                              | The authentication endpoints macOS routes to the SSO extension. Enter your IdP base URL, for example: `https://platformsso.pingone.com`.                                                                                                                                     |
| `RegistrationToken`                   | `<string>`              | Enter the value from the Ping Identity IdP | (Optional) Use this token as part of the device registration with the IdP, without requiring the user to enter their IdP credentials. In PingFederate, generate the registration token as part of the [Platform SSO adapter configuration](#configure-platform-sso-adapter). |
| `PlatformSSO.AccountDisplayName`      | `<string>`              | String                                     | The display name shown to users during authentication (usually the organization name). Enter a user-friendly name.                                                                                                                                                           |
| `PlatformSSO.EnableCreateUserAtLogin` | Boolean                 | `true` or `false`                          | Set to `true` to automatically create a local macOS account at sign-on if one doesn't yet exist. The account is created using the IdP username and password.                                                                                                                 |
| `PlatformSSO.UseSharedDeviceKeys`     | Boolean                 | `true`                                     | Enables shared device key architecture required for device attestation verification. Must be set to `true`.                                                                                                                                                                  |
| `TokenToUserMapping` - Account Name   | `<string>`              | Must be set to `preferred_username`.       | This attribute represents the SSO account username when using Platform SSO. The attribute value is defined in the OIDC ID Token and sent as part of the registration flow.                                                                                                   |
| `TokenToUserMapping` - Full Name      | `<string>`              | Must be set to `name`.                     | This attribute represents the user account full name in the account registration flow. The attribute value is defined in the OIDC ID Token and sent as part of the registration flow.                                                                                        |
| `AllowDeviceIdentifiersInAttestation` | Boolean                 | Must be set to `true`.                     | An attestation, which provides a strong assurance that the Mac is a genuine Apple device. The attestation includes device identifiers (UDID and serial number).                                                                                                              |

#### ExtensionData settings

Apple uses the `ExtensionData` dictionary to pass your OIDC connection values and optional app targeting configuration directly to the PingID desktop app.

| Key                               | Data type               | Value                       | Description                                                                                                                                                                                                            |
| --------------------------------- | ----------------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ClientID`                        | `<string>`              | String                      | The OIDC client identifier configured in the Ping Identity IdP.                                                                                                                                                        |
| `BaseURL`                         | `<string>`              | URL                         | The base URL for all Platform SSO endpoints. For example: `https://platformsso.pingone.com`.                                                                                                                           |
| `Audience`                        | `<string>`              | String                      | The audience value used in token requests, as configured in the Ping Identity IdP. For example: `https://platformsso.pingone.com`.                                                                                     |
| `InstanceID/Environment ID`       | `<string>`              | UUID                        | A unique identifier for this Platform SSO configuration. In PingFederate, this is the UUID provided on the configured Mac Platform SSO adapter instance.                                                               |
| `AllowManagedAppsOnly` (optional) | Boolean                 | `true` or `false`           | Set to `true` to restrict Platform SSO to MDM-managed applications only. If you also configure `AppAllowList`, add your managed apps to that list as well, as `AllowManagedAppsOnly` won't automatically include them. |
| `AppAllowList` (optional)         | `<array>` of `<string>` | Array of bundle identifiers | Applications allowed to use Platform SSO. For example: `com.apple.Safari`, `com.pingidentity.myapp`. If not configured, all applications are allowed.                                                                  |
| `AppBlockList` (optional)         | `<array>` of `<string>` | Array of bundle identifiers | Applications blocked from using Platform SSO. For example: `com.example.unsupportedapp`. If the app is added to the allow list and the block list, the block list takes priority and the app is blocked.               |

#### (Optional) Automated Device Enrollment (ADE)

Activate and enforce Platform SSO during unattended Automated Device Enrollment (ADE) to run the Platform SSO registration flow as part of the initial device enrollment phase.

| Key                                | Data type | Value             | Description                                                                                                                                                                                                                                                                      |
| ---------------------------------- | --------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `EnableRegistrationDuringSetup`    | Boolean   | `true` or `false` | Forces the Platform SSO registration sequence to execute after initial MDM device enrollment, but before the user signs in for the first time.                                                                                                                                   |
| `EnableCreateFirstUserDuringSetup` | Boolean   | `true` or `false` | Controls whether Platform SSO is allowed to create the first local macOS account during ADE by using the user attributes retrieved from the IdP. This attribute forces the insertion of the user's full name and account name, as defined in the `TokenToUserMapping` attribute. |

Example XML payload (core settings, ADE settings, and ExtensionData combined)

```xml
<dict>
    <key>AuthenticationMethod</key>
    <string>UserSecureEnclaveKey</string>
    <key>ExtensionIdentifier</key>
    <string>com.pingidentity.pingid.desktop.pingssoe</string>
    <key>PayloadType</key>
    <string>com.apple.extensiblesso</string>
    <key>TeamIdentifier</key>
    <string>6U3RF4C84N</string>
    <key>RegistrationToken</key>
    <string>YOUR_REGISTRATION_TOKEN</string>
    <key>URLs</key>
    <array>
        <string>https://platformsso.pingidentity.com</string>
    </array>
    <key>ExtensionData</key>
    <dict>
        <key>AppPolicy</key>
        <dict>
            <key>AllowManagedAppsOnly</key>
            <false/>
            <key>AppAllowList</key>
            <array>
                <string>com.apple.Safari</string>
                <string>com.example.browser</string>
            </array>
            <key>AppBlockList</key>
            <array>
                <string>com.example.unsupportedapp</string>
            </array>
        </dict>
        <key>PSSOConfiguration</key>
        <dict>
            <key>Audience</key>
            <string>https://platformsso.pingidentity.com</string>
            <key>BaseURL</key>
            <string>https://platformsso.pingidentity.com</string>
            <key>ClientID</key>
            <string>pingid_platform_sso</string>
            <key>InstanceID</key>
            <string>RQc_rSMhuXxxxxxxxxxxxxxxxxxxxxx</string>
        </dict>
    </dict>
    <key>PlatformSSO</key>
    <dict>
        <key>AccountDisplayName</key>
        <string>Ping Identity</string>
        <key>AllowDeviceIdentifiersInAttestation</key>
        <true/>
        <key>AuthenticationMethod</key>
        <string>UserSecureEnclaveKey</string>
        <key>EnableCreateFirstUserDuringSetup</key>
        <true/>
        <key>EnableRegistrationDuringSetup</key>
        <true/>
        <key>UseSharedDeviceKeys</key>
        <true/>
        <key>TokenToUserMapping</key>
        <dict>
            <key>AccountName</key>
            <string>preferred_username</string>
            <key>FullName</key>
            <string>name</string>
        </dict>
    </dict>
</dict>
```

### Payload 2: Associated Domains (`com.apple.developer.associated-domains`)

This payload authorizes macOS to route authentication traffic to the PingID desktop app's SSO extension. Without it, Safari and the system login window ignore the extension entirely.

| Key                     | Data type               | Value                                        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ----------------------- | ----------------------- | -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `PayloadType`           | `<string>`              | `com.apple.developer.associated-domains`     | Specifies the associated domains payload type.                                                                                                                                                                                                                                                                                                                                                                                                        |
| `ApplicationIdentifier` | `<string>`              | `6U3RF4C84N.com.pingidentity.pingid.desktop` | The application identifier for PingID desktop app. This value is fixed, should be entered as shown, and must match exactly.                                                                                                                                                                                                                                                                                                                           |
| `AssociatedDomains`     | `<array>` of `<string>` | Array of domains                             | The Fully Qualified Domain Name (FQDN) of the identity provider that triggers the SSO extension for authentication. Enter each domain using the `authsrv` prefix followed by the host domain in the format `authsrv:<your-ping-host>`. Add one entry per domain your deployment uses.Don't include `https://` or any trailing slashes. For example, if your IdP Base URL is `https://pf.example.com`, the required value is `authsrv:pf.example.com`. |

Example XML payload

```xml
<dict>
  <key>PayloadType</key>
  <string>com.apple.developer.associated-domains</string>
  <key>Configuration</key>
  <array>
    <dict>
      <key>ApplicationIdentifier</key>
      <string>6U3RF4C84N.com.pingidentity.pingid.desktop</string>
      <key>AssociatedDomains</key>
      <array>
        <string>authsrv:platformsso.pingone.com</string>
      </array>
    </dict>
  </array>
</dict>
```

## Verifying the deployment

To verify deployment is complete, confirm each of the following after you push the MDM profiles to your devices.

### Device and user registration

* The PingID desktop app registers the device successfully.

* The device and user registration flow completes successfully.

* (ADE flow only) Local account creation completes successfully.

* Platform SSO registration completes successfully: In **Settings > Users & Groups > User > Platform Single Sign-on** section, check that both **Registration** and **Tokens** show a green icon.

### SSO behavior

* Native app SSO authentication completes successfully: apps that use the SSO extension obtain tokens without prompting the user to sign on again.

* Safari SSO authentication completes successfully: browser-initiated authorization flows authenticate through the extension rather than presenting the user with a sign on form.

## User experience

The following video demostrates the unattended Automated Device Enrollment (ADE) flow for the end user.

**Video (Video)**

<\_images/platform\_sso\_example.mp4>
