app-sso — A tool
used to control and get information about the Kerberos SSO
extension.
app-sso |
[command]
Commands:
-a,
--authenticate REALM
[options ...]-
-u,
--username
USERNAME-f,
--force-q,
--quiet
-d,
--logout REALM-c,
--changepassword
REALM-l,
--listrealms-i,
--realminfo REALM-
-v,
--verbose
-i,
--sitecode REALM-
-v,
--verbose
-r,
--reset REALM-k,
--keychainoption
REALM-j,
--json REALM-h,
--help REALM
|
app-sso is used to control and get
information about the Kerberos Single Sign-on (SSO) extension via the
command line. The Kerberos SSO extension simplifies using Kerberos
authentication with an Active Directory based Kerberos realm. It also allows
the user to use Active Directory specific functions such as password changes
and password expiration notifications.
Note that app-sso cannot be used to
completely configure the Kerberos SSO extension. Configuring the Kerberos
SSO extension requires a user approved MDM enrollment, as well as an MDM
solution that can build and deliver an appropriately configured Extensible
SSO configuration profile payload. See your MDM vendor's documentation for
additional information.
-a,
--authenticate REALM- Display the login dialog for the specified realm, or if the user has
already configured the Kerberos SSO extension, acquire a new credential.
Returns success upon acquiring a new credential or if the user already has
a valid credential.
-u,
--username- The username for authentication. The user will not be able to change
this username on the login screen.
-f,
--force- Display the login screen even if the user is already
authenticated.
-q,
--quiet- Suppress the information that is normally printed after
authentication.
-d,
--logout REALM- Logs out any user logged into the specified realm.
-c,
--changepassword REALM- Displays the "Change Password" dialog for the specified
realm.
-l,
--listrealms- Prints the list of configured realms.
-i,
--realminfo REALM- Print information about the currently configured realm. This includes
information such as the current site code, network home directory and date
the user's password expires.
-v,
--verbose- Print the complete site code cache in the results.
-s,
--sitecode REALM- Perform a site lookup for the specified realm.
-v,
--verbose- Print the complete site code cache in the results.
-r,
--reset [REALM]- Reset the cache for the specified realm. If a realm isn't specified, reset
caches for all realms.
-k,
--keychainoption REALM- Resets the "login automatically" option for the specified
realm.
-p,
--proceedusersetup REALM- Allow user setup to proceed if you are using "delayUserSetup" in
your configuration profile.
-t,
--sharedsettings REALM- Prints the kerberos settings that are shared with other processes for the
specified realm. For diagnostic purposes only, not intended for
scripting.
-j,
--json- Format the output of this command as JSON instead of property list
format.
-h,
--help- Print a synopsis of the above document.
- Print infomation about the PRETENDCO.COM realm:
- app-sso -i PRETENDCO.COM
- Authenticate to the PRETENDCO.COM realm as jappleseed:
- app-sso -a PRETENDCO.COM -u jappleseed
- startInSmartCardMode
- The default behavior of the KerberosExtension is to start in the UI mode
last used by the user. To force it to start in SmartCard mode, run this
defaults command:
defaults write
com.apple.AppSSOKerberos.KerberosExtension startInSmartCardMode -bool
true
- allowSmartCard
-
The default behavior of the KerberosExtension is to show both password and
SmartCard authentication in the UI. To hide SmartCards, run this defaults
command:
defaults write
com.apple.AppSSOKerberos.KerberosExtension allowSmartCard -bool
false
- allowPassword
-
The default behavior of the KerberosExtension is to show both password and
SmartCard authentication in the UI. To hide passwords, run this defaults
command:
defaults write
com.apple.AppSSOKerberos.KerberosExtension allowPassword -bool
false
- identityIssuerAutoSelectFilter
-
The default behavior of the KerberosExtension is to auto select an
available identity if one is available. If more than one is available,
then the identityIssuerAutoSelectFilter can be used to filter the issuer
names. If one is left, then it will be auto selected. The value should
include any wild cards. To enable it, run this defaults command with the
correct filter value:
defaults write com.apple.AppSSOKerberos.KerberosExtension identityIssuerAutoSelectFilter 'Apple CA*'