This article reviews how to troubleshoot and verify the correct integration of the Okta Single Sign-On (SSO) Extension for macOS. 

The SSO Extension allows requests to be forwarded from the browser or app to Okta Verify. The SSO Extension provides a more seamless end-user login experience, as users will not receive the "Open Okta Verify" browser prompt.

 

The SSO Extension is required to provide a seamless end-user login experience with Okta Verify FastPass for Managed Devices in Safari and in-app browsers. It also provides authentication with phishing-resistant properties in the authentication flow.
 

• Okta Identity Engine (OIE)
• Device Management 
• Single Sign-On Extension
• macOS
• Mobile Device Management 
• FastPass login user experience

How to implement the Okta SSO Extension 

For comprehensive implementation instructions, see Step 4 from the configuration workflow in the manual for "Configure management attestation for desktop devices".

The Configure an SSO extension on managed macOS devices section provides a step-by-step guide on how to configure and deploy "Single Sign-On Extensions" with an MDM Configuration Profiles. 

Verifying that the Okta SSO Extension is registered with the system

Use this process to confirm the SSO Extension was successfully deployed and registered:

• Graphical User Interface (GUI)
  To validate that the SSO extension is registered in the GUI:

1. 1. From Applications or otherwise, open System Settings > Privacy and Security. 
   2. Under the section Other, choose Profiles.

1. 2. If the SSO Extension is deployed correctly, there will be an entry for the Okta Verify SSO Extension. 
      • NOTE: Be sure to verify the Hosts configuration and ensure that the extension values accurately reflect the correct Okta subdomains that end-users will access. 

• Terminal command.

1. 1. Open the Terminal app from Apps > Utilities
   2. Run the following command to see if the SSO extension was registered with the system: 

      pluginkit -m | grep -i auth-service-extension

SSO Extension Logs

When the Okta Verify SSO Extension is successfully deployed to a macOS device, there will be logs for the SSO extension in the standard macOS Log Directory: 

• ~/Library/Group\ Containers/B7F62B65BN.group.okta.macverify.shared/Logs
  • For more information on log collection and navigation details, see Collect Okta Verify Logs from Desktop (macOS / Windows).

Logs for the SSO extensions will be labeled with a naming convention similar to com.okta.mobile.auth-service-extension. 

Collecting SSO Extension Logs From The Console App For Troubleshooting

To aid in troubleshooting efforts, including those for user experience, where the SSO Extension is suspected of errant behavior, it may be necessary to collect logs for a deeper inspection. To collect SSO Extension logs for troubleshooting:

1. Open the Console app from Apps > Utilities.
2. Click Start in the console.
3. Open Safari (or an app with an embedded browser that would need the SSO Extension), and attempt a login or reproduction. 
4. Click Pause in the console.
5. In the Search field in the upper right corner of the console window, search for com.okta.mobile.auth-service-extension.
   • NOTE: Console logs may be filtered in many ways. The above command will only filter logs to those containing entries for the Okta SSO extension by name, which is important to remember as the situation demands. Alternate filters may be provided if working with Okta Support.    
6. Click any of the messages filtered with the search string above, and use Command + A to select all, and select the Share button.
   • Logs may be saved to the Notes app or sent using any of the other options as suited best to the use case.

7. Please provide the saved output to the support ticket if Okta Support requested SSO Extension Logs. 

NOTE: To confirm the Okta SSO Extension has loaded, once logs are generated, there will be a log entry advising:

[SOExtensionManager loadedExtensionWithBundleIdentifer:] com.okta.mobile.auth-service-extension

How to reset the SSO extension

In some instances, it may become necessary to reset the SSO extension.

• For example:
  • Remove a suspected malfunctioning extension to reload it.
  • The extension config is updated on MDM, but is not updated on the device. 

SSO Extension status may be confirmed as registered with the "pluginkit" command above.

1. Delete the app from the application folder.
2. Restart the device.
3. Check again with the "pluginkit" command to ensure that the Okta SSO extension is not listed anymore.
4. Install the new version of the app.