Skip to content

Simple Authentication for Setup Assistant

Jump to bottom
Francis Augusto Medeiros-Logeay edited this page May 15, 2026 · 1 revision

When users enroll to Platform SSO when setting up a new Mac, usually there's a device registration where the user authenticates with the IDP password:

psso2

That authentication gives the macOS SSO extension some tokens. This is interesting for one reason:

When it comes to the user registration, the user needs to authenticate with the IdP with its native interface. For example:

userreg3

The main purpose here is to use 2FA. So it is a bit of a hassle that the user must type the username and password again.

To avoid this, we developed another authenticator just for the purpose of Setup Assistant:

Screenshot 2026-05-15 at 14 43 42

This will take a refresh token which was received by the SSO extension and sends it to Keycloak as a header. If valid, Keycloak will skip username and password and either return back with a fully authenticated user, or will display 2FA if you configured the flow for that.

In order to use this authenticator during Setup Assistant, configure a flow for the PSSO client, for example, like this:

Screenshot 2026-05-15 at 14 46 52

We recommend that you use a dedicated flow for the PSSO client so that only in that situation it will use this authenticator.

Clone this wiki locally