Back in 2022, I wrote about a neat announcement called Platform SSO. The road to delivering it for many vendors have been SO DAMN LONG. Finally, in the second half of 2023, we are starting to see vendors deliver what I dub Enterprise Connect 2.0 (one could argue it would really be Enterprise Connect 3.0 but you know). Okta has finally released their Platform SSO product called Desktop Password Sync (I’ll leave the questionable marketing on the name). Come on you definitely could have called it Desktop SSO for MacOS (they already have “Agentless Desktop SSO”, but I digress!

Today, we’re going to cover the architecture briefly, installing the app inside of Okta, deploying the MDM configurations for both Intune and Workspace ONE, the user onboarding experience, and the user login experience (as that is what it’s about). It should be a fun ride, so let’s get moving!

Okta Desktop Password Sync Architecture

The architecture itself isn’t super complicated. You have two aspects to Desktop Password Sync: (1) registration and (2) authentication.

In the registration flow, you can see a few things actually happen. This is driven by the MacOS SSO extension, which we will walk you through later on. A few things happen:

1. The Mac generates two public/private key pairs (signing and encryption).
   • Private keys stored locally on the Mac managed by the Platform SSO process.
   • Public keys shared with the SSO extension
2. The SSO extension enrolls the public keys with Okta’s Cloud while building a relationship between the local user account and the user’s Okta account.
   • This sync process works similar to Enterprise Connect allow for the authentication at the login window with Okta credentials.

As you can see in the diagram, the registration occurs between the device and the Desktop Password Sync app in the Okta Cloud. After authentication, the user will enroll in Okta FastPass to register the keys mentioned above which completes the registration process. Once done, the user will be prompted to authenticate.

Let’s check out a video demo of that experience now:

The OS itself drives the authentication process as you can see below. The Platform SSO protocol is used to communicate with Okta. The basics are essentially:

1. The Mac requests a server nonce
2. The OS will build a JWT (Java Web Token) signed with the device signing key containing the username/password and the nonce.
3. The JWT is sent via POST to the token endpoint and Okta validates the credentials along with the signing signature.
4. Okta sends back a JWE (JSON Web Encryption) token encrypted with the device encryption key.
5. The Mac will validate the signature and update the local account password to ensure it’s in sync and save the token.

Now, let’s check out a demo of the user experience at login:

Installing the Okta Desktop Sync Application

One disclaimer, to leverage this feature you will need their new license (Desktop Access) to leverage this technology. Additionally, you will need to have them flip on the feature or flip it on yourself inside of Settings > Features:

Once that is done, you can easily add the application as you will see in the video below. Pretty simple, add the application, notate the client ID, and entitle your groups and users with the application:

Deploying the Okta Desktop Application with Workspace ONE UEM

You will see in the video below, that you will need one profile with SSO Extension, Associated Domains, and two Custom XML Profiles to deploy Okta app settings and the Desktop Sync client settings, including the client ID from earlier.

One piece to share is the code for the Custom XML to make it easy on everyone:

##Okta Mobile Custom XML##
<dict>
  <key>PayloadIdentifier</key>
  <string>com.okta.mobile.1f0839ff-4342-41eb-9041-46466f813b12</string>
  <key>PayloadUUID</key>
  <string>1f0839ff-4342-41eb-9041-46466f813b12</string>
  <key>PayloadOrganization</key>
  <string>Okta</string>
  <key>PayloadType</key>
<string>com.okta.mobile</string>
<key>OktaVerify.OrgUrl</key>
<string>https://company.okta.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{EmailAddress}</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Okta Mobile Payload</string>
  <key>PayloadDescription</key>
  <string>Okta Mobile Payload</string>
</dict>

##Okta Mobile Service##
<dict>
  <key>PayloadIdentifier</key>
  <string>com.okta.mobile.auth-service-extension.37d49fbb-d11e-4d15-a363-83535d11bd50</string>
  <key>PayloadUUID</key>
  <string>37d49fbb-d11e-4d15-a363-83535d11bd50</string>
  <key>PayloadOrganization</key>
  <string>Okta</string>
<key>PayloadType</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>OktaVerify.OrgUrl</key>
<string>https://company.okta.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>0ob4sz45awrXm1QSE699</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{EmailAddress}</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Okta Mobile Auth Service Extension</string>
  <key>PayloadDescription</key>
  <string>Okta Mobile Auth Service Extension Payload</string>
</dict>

Deploying the Okta Desktop Application with Intune

You will see in the video below, that you will need a few profiles:

1. Deploy a Settings Catalog Profile with Extensible SSO and Associated Domains
2. Deploy two Custom XML Profiles to deploy Okta app settings and the Desktop Sync client settings, including the client ID from earlier

One piece to share is the code for the Custom XML to make it easy on everyone:

##Okta Mobile Custom XML##
<dict>
  <key>PayloadIdentifier</key>
  <string>com.okta.mobile.1f0839ff-4342-41eb-9041-46466f813b12</string>
  <key>PayloadUUID</key>
  <string>1f0839ff-4342-41eb-9041-46466f813b12</string>
  <key>PayloadOrganization</key>
  <string>Okta</string>
  <key>PayloadType</key>
<string>com.okta.mobile</string>
<key>OktaVerify.OrgUrl</key>
<string>https://company.okta.com</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Okta Mobile Payload</string>
  <key>PayloadDescription</key>
  <string>Okta Mobile Payload</string>
</dict>

##Okta Mobile Service##
<dict>
  <key>PayloadIdentifier</key>
  <string>com.okta.mobile.auth-service-extension.37d49fbb-d11e-4d15-a363-83535d11bd50</string>
  <key>PayloadUUID</key>
  <string>37d49fbb-d11e-4d15-a363-83535d11bd50</string>
  <key>PayloadOrganization</key>
  <string>Okta</string>
<key>PayloadType</key>
<string>com.okta.mobile.auth-service-extension</string>
<key>OktaVerify.OrgUrl</key>
<string>https://company.okta.com</string>
<key>OktaVerify.PasswordSyncClientID</key>
<string>0ob4sz45awrXm1QSE699</string>
<key>OktaVerify.UserPrincipalName</key>
<string>{{mail}}</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Okta Mobile Auth Service Extension</string>
  <key>PayloadDescription</key>
  <string>Okta Mobile Auth Service Extension Payload</string>
</dict>

Final Thoughts

The thing I love about Platform SSO is that it’s understated. Your login window is exactly the same as it is without it. The registration/setup isn’t too painful either luckily. The biggest challenge is app deployments around this currently on MDM as Workspace ONE doesn’t support Universal Apps today and Intune doesn’t support Managed App Config for MacOS. Luckily, creativity with custom XML profiles makes this fairly achievable.

Overall, Platform SSO is a win for the Enterprise and it’s great to see Okta and Azure both rolling it out. I’m sure others have but those are the two that I have seen. My hope is we will also see this with Workspace ONE Access soon and others as we need to simplify authentication and support the Zero Trust Journey accordingly.