app-sso — A tool
used to control and get information about the Kerberos SSO
extension.
app-sso |
[kerberos|platform] [command]
Kerberos Commands (default mode):
-a,
--authenticate REALM
[options ...]-
-u,
--username
USERNAME-f,
--force-q,
--quiet
-d,
--logout REALM-c,
--changepassword
REALM-l,
--listrealms-i,
--realminfo REALM-
-v,
--verbose
-i,
--sitecode REALM-
-v,
--verbose
-r,
--reset REALM-k,
--keychainoption
REALM-j,
--json REALM-h,
--help REALM
Platform SSO Commands:
-m,
--messages-s,
--state
|
app-sso is used to control and get
information about both the Kerberos Single Sign-on (SSO) extension and
Platform SSO via the command line.
In Kerberos mode (default), the tool controls the Kerberos SSO
extension which simplifies using Kerberos authentication with an Active
Directory based Kerberos realm. It also allows the user to use Active
Directory specific functions such as password changes and password
expiration notifications.
In Platform SSO mode, the tool provides diagnostic information
about the current Platform SSO state and configuration, and can display
sample messages using the current configuration.
Note that app-sso cannot be used to
completely configure either the Kerberos SSO extension or Platform SSO.
Configuration requires a user approved MDM enrollment, as well as an MDM
solution that can build and deliver an appropriately configured Extensible
SSO configuration profile payload. See your MDM vendor's documentation for
additional information.
-a,
--authenticate REALM- Display the login dialog for the specified realm, or if the user has
already configured the Kerberos SSO extension, acquire a new credential.
Returns success upon acquiring a new credential or if the user already has
a valid credential.
-u,
--username- The username for authentication. The user will not be able to change
this username on the login screen.
-f,
--force- Display the login screen even if the user is already
authenticated.
-q,
--quiet- Suppress the information that is normally printed after
authentication.
-d,
--logout REALM- Logs out any user logged into the specified realm.
-c,
--changepassword REALM- Displays the "Change Password" dialog for the specified
realm.
-l,
--listrealms- Prints the list of configured realms.
-i,
--realminfo REALM- Print information about the currently configured realm. This includes
information such as the current site code, network home directory and date
the user's password expires.
-v,
--verbose- Print the complete site code cache in the results.
-s,
--sitecode REALM- Perform a site lookup for the specified realm.
-v,
--verbose- Print the complete site code cache in the results.
-r,
--reset [REALM]- Reset the cache for the specified realm. If a realm isn't specified, reset
caches for all realms.
-k,
--keychainoption REALM- Resets the "login automatically" option for the specified
realm.
-p,
--proceedusersetup REALM- Allow user setup to proceed if you are using "delayUserSetup" in
your configuration profile.
-t,
--sharedsettings REALM- Prints the kerberos settings that are shared with other processes for the
specified realm. For diagnostic purposes only, not intended for
scripting.
-j,
--json- Format the output of this command as JSON instead of property list
format.
-h,
--help- Print a synopsis of the above document.
-m,
--messages- Display sample messages using the current Platform SSO configuration. This
command is useful for testing and diagnostic purposes to verify that
Platform SSO is properly configured and can generate authentication
messages.
-s,
--state- Display the current Platform SSO state and configuration. This includes
information about device configuration, login configuration, user
configuration, and SSO token status including received and expiration
dates. For diagnostic purposes only, not intended for scripting.
- Print infomation about the PRETENDCO.COM realm:
- app-sso -i PRETENDCO.COM
- Authenticate to the PRETENDCO.COM realm as jappleseed:
- app-sso -a PRETENDCO.COM -u jappleseed
- Display Platform SSO state and configuration:
- app-sso platform -s
- Display Platform SSO test messages:
- app-sso platform -m
- startInSmartCardMode
- The default behavior of the KerberosExtension is to start in the UI mode
last used by the user. To force it to start in SmartCard mode, run this
defaults command:
defaults write
com.apple.AppSSOKerberos.KerberosExtension startInSmartCardMode -bool
true
- allowSmartCard
-
The default behavior of the KerberosExtension is to show both password and
SmartCard authentication in the UI. To hide SmartCards, run this defaults
command:
defaults write
com.apple.AppSSOKerberos.KerberosExtension allowSmartCard -bool
false
- allowPassword
-
The default behavior of the KerberosExtension is to show both password and
SmartCard authentication in the UI. To hide passwords, run this defaults
command:
defaults write
com.apple.AppSSOKerberos.KerberosExtension allowPassword -bool
false
- identityIssuerAutoSelectFilter
-
The default behavior of the KerberosExtension is to auto select an
available identity if one is available. If more than one is available,
then the identityIssuerAutoSelectFilter can be used to filter the issuer
names. If one is left, then it will be auto selected. The value should
include any wild cards. To enable it, run this defaults command with the
correct filter value:
defaults write com.apple.AppSSOKerberos.KerberosExtension identityIssuerAutoSelectFilter 'Apple CA*'