home.social

#psso — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #psso, aggregated by home.social.

  1. Did some additional FV login testing for PSSO. If you set the policy to require cloud login, it requires successful cloud authentication in order to unlock FV. If the IdP is unreachable (or you are not on ethernet or WPA2 WiFi), you can’t log in. This applies to all user accounts on the Mac, including non-paired local admin accounts. If you add those local-only accounts to NonPlatformSSOAccounts, you can log in to them without the IdP being available.

    #psso #sequoia

  2. psso-server-go uses a go package that implements all the crypto required for PSSO and is intended to be a reference to how to implement the crypto in any language for PSSO.

    github.com/twocanoes/psso-sdk-

    #psso #sso #macadmins #macadmin

  3. If you want to set up your own PSSO service in a test environment (without having it open to the internet), check out the psso-server-go on github:

    github.com/twocanoes/psso-serv

    #psso #sso #macadmins #macadmin

  4. I just posted a new article on PSSO: PSSO Technical Deep Dive

    I went into the depths of PSSO and took notes. Read about it here:

    twocanoes.com/psso-technical-d

    #psso #sso

  5. Also, when you perform an authentication, you get a local notification each time that lets you know your token has been refreshed.

    More testing to do as the new OS beta get released, and I am doing a session at PSU MacAdmins, so if you are interested in all things PSSO, check out my PSSO page. Info on how you can set up your own PSSO server, tutorials for creating a single sign-on extension and adding your own PSSO functionality to your apps.

    twocanoes.com/sso

    #psso #sequoia

  6. The other new key is NonPlatformSSOAccounts. In earlier releases, all local accounts would be prompted to register. NonPlatformSSOAccounts is an array of local usernames that will not be prompted for cloud account registriation.

    #psso #sequoia

  7. So you can unlock FileVault, LoginWindow, or LockScreen with just the local password if you have authenticated with the Identity Provider within the specified time period.

    The UnlockPolicy option AllowTouchIDOrWatchForUnlock allows touch ID or Watch to unlock the lock screen. I haven't tested if that triggers a refresh but may.

    #psso #sequoia

  8. From my testing and the naming, AttemptAuthentication doesn't require the cloud service to be successful, but if the authentication is successful, a SSO token will be retrieved. RequireAuthentication stops the authentication if the cloud login fails. AllowOfflineGracePeriod and AllowAuthenticationGracePeriod appear to be 2 different timings you can specify that allow how long between successful cloud logins.

    #psso #sequoia

  9. Now for the new policies:

    The three new poliicies, FileVaultPolicy, LoginPolicy, and UnlockPolicy allow you to specify what is required at FileVault, Login Window and Screen unlock, respectively. Each policy has 3 options:

    AttemptAuthentication, RequireAuthentication, AllowOfflineGracePeriod, AllowAuthenticationGracePeriod

    UnlockPolicy has an additional option: AllowTouchIDOrWatchForUnlock

    #psso #sequoia

  10. There are some changes in the messages in the login window as well. If the policy requires cloud login but it is unavailable, the login window let's you know about it.

    #psso #sequoia

  11. Let's talk about the UI changes first. When PSSO is set up with a config profile and an extension in an app, the user is still prompted with a local notification at first login to register the device and user account. However, there is now a new UI that shows info and progress.

    #psso #sequoia

  12. PSSO got some new things in Sequoia:

    New Policies:
    FileVaultPolicy: How to cloud login at FileVault login window.
    LoginPolicy: How to cloud login at main login window
    UnlockPolicy: How to cloud login at lock screen

    Timing:
    AuthenticationGracePeriod
    OfflineGracePeriod

    Other:
    NonPlatformSSOAccounts

    Some UI Changes as well.

    developer.apple.com/documentat

    #psso #siqoia