The Okta Single Sign-On (SSO) Extension for macOS forwards requests from a browser or application to Okta Verify, preventing the "Open Okta Verify" browser prompt and providing a seamless end-user login experience. Administrators must verify the correct integration of the Okta SSO Extension for macOS to ensure Okta Verify FastPass functions correctly for managed devices. Review the implementation, verify the registration, collect logs, and reset the extension to troubleshoot issues with the Okta SSO Extension.

The following image displays the prompt that appears when the Okta SSO Extension is not configured correctly.

• Okta Identity Engine (OIE)
• Device Management
• Single Sign-On (SSO) Extension
• macOS
• Mobile Device Management (MDM)
• Okta FastPass

How is the Okta SSO Extension implemented?

Review Step 4 in the configuration workflow for comprehensive implementation instructions on configuring management attestation for desktop devices. The Configure an SSO extension on managed macOS devices documentation provides a step-by-step guide on configuring and deploying SSO Extensions with Mobile Device Management (MDM) configuration profiles.

How is the Okta SSO Extension registration verified?

Verify the Okta SSO Extension registration using the macOS Graphical User Interface (GUI) or the Terminal application.

How is the registration verified using the Graphical User Interface?

Navigate through the macOS system settings to locate the Okta Verify SSO Extension profile and verify the host configuration.

1. Open System Settings, and select Privacy and Security.
2. Choose Profiles under the Other section.

The following image displays the Profiles menu in the macOS System Settings.

3. Locate the entry for the Okta Verify SSO Extension to confirm successful deployment.
   • NOTE: Verify the Hosts configuration and ensure that the extension values accurately reflect the correct Okta subdomains that end-users access.

The following image displays the Okta Verify SSO Extension profile details.

How is the registration verified using the Terminal application?

Execute a command in the macOS Terminal to check the system registration status of the authentication service extension.

1. Open the Terminal application from Apps, and select Utilities.
2. Run the following command to determine if the SSO extension is registered with the macOS system:

   pluginkit -m | grep -i auth-service-extension

The following image displays the expected output of the pluginkit command in the Terminal.

Where are the Okta SSO Extension logs located?

When the Okta Verify SSO Extension deploys successfully to a macOS device, Okta generates logs for the SSO extension in the standard macOS log directory.

• ~/Library/Group\ Containers/B7F62B65BN.group.okta.macverify.shared/Logs
• Review Collect Okta Verify Logs from Desktop (macOS / Windows) for more information on log collection and navigation details.

The SSO extension logs use a naming convention similar to com.okta.mobile.auth-service-extension.

The following image displays the standard macOS log directory containing the Okta SSO extension logs.

How are Okta SSO Extension logs collected from the Console application?

Collect logs from the macOS Console application for deeper inspection when troubleshooting errant behavior with the Okta SSO Extension. Open the Console application, reproduce the issue in a browser, filter the logs for the Okta extension, and export the results.

1. Open the Console application from Apps, and select Utilities.
2. Select Start in the console.
3. Open Safari or an application with an embedded browser that requires the SSO Extension, and attempt a login to reproduce the issue.
4. Select Pause in the console.
5. Enter com.okta.mobile.auth-service-extension in the Search field in the upper right corner of the console window.
   • NOTE: The Console application filters logs in many ways. The search command filters logs to those containing entries for the Okta SSO extension by name. Okta Support may provide alternate filters during troubleshooting.

6. Select any of the filtered messages, press Command + A to select all, and select Share.
7. Save the logs to the Notes application or send them using another preferred method.

The following image displays the process of exporting filtered logs from the Console application.

8. Provide the saved output to the support ticket if Okta Support requests the SSO Extension logs.

NOTE: A specific log entry confirms that the Okta SSO Extension loaded successfully after generating the logs. Look for the following entry: [SOExtensionManager loadedExtensionWithBundleIdentifer:] com.okta.mobile.auth-service-extension

The following image displays the log entry confirming the Okta SSO Extension loaded successfully.

How is the Okta SSO Extension reset?

Administrators must reset the Okta SSO Extension to reload a malfunctioning extension or to force an MDM configuration update on the device. Delete the application, restart the device, verify the removal, and reinstall the application to reset the Okta SSO Extension.

1. Delete the Okta Verify application from the application folder.
2. Restart the macOS device.
3. Run the pluginkit -m | grep -i auth-service-extension command in the Terminal application to ensure the Okta SSO extension no longer appears.
4. Install the new version of the Okta Verify application.