The macOS Platform single sign-on (PSSO) is a capability on macOS that is enabled using the [Microsoft Enterprise Single Sign-on Extension](../../identity-platform/apple-sso-plugin.md). Platform SSO enables users to Entra join their macOS devices and sign in using a hardware-bound key, smart card, or their Microsoft Entra ID password through a PSSO Primary Refresh Token (PRT).
In addition to the PSSO PRT, Microsoft Entra also issues both on-premises and cloud-based Kerberos Ticket Granting Tickets (TGTs) which are then shared with the native Kerberos stack in macOS via TGT mapping in PSSO. Customers have the flexibility to determine how these TGTs are utilized in their environment and can configure either the Kerberos SSO extension file accordingly. The Kerberos SSO extension, owned and maintained by Apple, is designed to provide seamless single sign-on for Kerberos-based resources on macOS. For any help needed with Kerberos sso extension configuration, please engage with Apple.
This tutorial illustrates how to leverage Platform SSO TGT to support Kerberos-based SSO to on-premises and cloud resources, in addition to SSO to Microsoft Entra ID. Kerberos SSO is an optional capability within Platform SSO, but it's recommended if users still need to access on-premises Active Directory resources that use Kerberos for authentication.
The macOS Platform single sign-on (PSSO) is a capability on macOS that is enabled using the [Microsoft Enterprise Single Sign-on Extension](../../identity-platform/apple-sso-plugin.md). Platform SSO enables users to Entra join their macOS devices and sign in using a hardware-bound key, smart card, or their Microsoft Entra ID password through a PSSO Primary Refresh Token (PRT).
In addition to the PSSO PRT, Microsoft Entra also issues both on-premises and cloud-based Kerberos Ticket Granting Tickets (TGTs) which are then shared with the native Kerberos stack in macOS via TGT mapping in PSSO. Customers have the flexibility to determine how these TGTs are utilized in their environment and can configure either the Kerberos SSO extension file accordingly. The Kerberos SSO extension, owned and maintained by Apple, is designed to provide seamless single sign-on for Kerberos-based resources on macOS. For any help needed with Kerberos SSO extension configuration, please engage with Apple.
This tutorial illustrates how to leverage Platform SSO TGT to support Kerberos-based SSO to on-premises and cloud resources, in addition to SSO to Microsoft Entra ID. Kerberos SSO is an optional capability within Platform SSO, but it's recommended if users still need to access on-premises Active Directory resources that use Kerberos for authentication.