NAME

app-sso is used to control and get information about the Kerberos Single Sign-on (SSO) extension via the command line. The Kerberos SSO extension simplifies using Kerberos authentication with an Active Directory based Kerberos realm. It also allows the user to use Active Directory specific functions such as password changes and password expiration notifications.

Note that app-sso cannot be used to completely configure the Kerberos SSO extension. Configuring the Kerberos SSO extension requires a user approved MDM enrollment, as well as an MDM solution that can build and deliver an appropriately configured Extensible SSO configuration profile payload. See your MDM vendor's documentation for additional information.

COMMANDS

-a, --authenticate REALM

Display the login dialog for the specified realm, or if the user has already configured the Kerberos SSO extension, acquire a new credential. Returns success upon acquiring a new credential or if the user already has a valid credential.

-u, --username: The username for authentication. The user will not be able to change this username on the login screen.
-f, --force: Display the login screen even if the user is already authenticated.
-q, --quiet: Suppress the information that is normally printed after authentication.

-d, --logout REALM

Logs out any user logged into the specified realm.

-c, --changepassword REALM

Displays the "Change Password" dialog for the specified realm.

-l, --listrealms

Prints the list of configured realms.

-i, --realminfo REALM

Print information about the currently configured realm. This includes information such as the current site code, network home directory and date the user's password expires.

-v, --verbose: Print the complete site code cache in the results.

-s, --sitecode REALM

Perform a site lookup for the specified realm.

-v, --verbose: Print the complete site code cache in the results.

-r, --reset [REALM]

Reset the cache for the specified realm. If a realm isn't specified, reset caches for all realms.

-k, --keychainoption REALM

Resets the "login automatically" option for the specified realm.

-p, --proceedusersetup REALM

Allow user setup to proceed if you are using "delayUserSetup" in your configuration profile.

-t, --sharedsettings REALM

Prints the kerberos settings that are shared with other processes for the specified realm. For diagnostic purposes only, not intended for scripting.

-j, --json

Format the output of this command as JSON instead of property list format.

-h, --help

Print a synopsis of the above document.

EXAMPLES

Print infomation about the PRETENDCO.COM realm:: app-sso -i PRETENDCO.COM
Authenticate to the PRETENDCO.COM realm as jappleseed:: app-sso -a PRETENDCO.COM -u jappleseed

Kerberos Extension UI Options

startInSmartCardMode: The default behavior of the KerberosExtension is to start in the UI mode last used by the user. To force it to start in SmartCard mode, run this defaults command:

defaults write com.apple.AppSSOKerberos.KerberosExtension startInSmartCardMode -bool true

allowSmartCard: The default behavior of the KerberosExtension is to show both password and SmartCard authentication in the UI. To hide SmartCards, run this defaults command:

defaults write com.apple.AppSSOKerberos.KerberosExtension allowSmartCard -bool false

allowPassword: The default behavior of the KerberosExtension is to show both password and SmartCard authentication in the UI. To hide passwords, run this defaults command:

defaults write com.apple.AppSSOKerberos.KerberosExtension allowPassword -bool false

identityIssuerAutoSelectFilter

The default behavior of the KerberosExtension is to auto select an available identity if one is available. If more than one is available, then the identityIssuerAutoSelectFilter can be used to filter the issuer names. If one is left, then it will be auto selected. The value should include any wild cards. To enable it, run this defaults command with the correct filter value:

defaults write com.apple.AppSSOKerberos.KerberosExtension identityIssuerAutoSelectFilter 'Apple CA*'