Using a Registration Token
On Platform Single Sign-on, you can use a Registration Token to perform a silent Device registration. This is useful especially for shared machines, where Device Registration occurs automatically. But it is also recommended to add extra security so that it provides a way to identify that a given machine is enrolled on a certain MDM.
Apple gives very little recommendations regarding Registration Tokens. See this documentation on the item "Set up Platform Single Sign-on). Here, a Registration Token is used as an alternative to device attestation.
However, we chose to do things in a different way with this extension:
- Attestation is always required, so we know it is a legit Apple device being registered
- Registration Token can be used in addition to attestation.
So, if this extension is configured to require a Registration Token, device registration will occur without any user login. But if Registration Token isn't required, the user will be prompted to login to the Keycloak-based IdP.
To configure Registration Token, you need to:
- add a
RegistrationTokenkey and value to your SSO Extension configuration profile - Enable it on Keycloak
On your SSO Extension profile, add the following:
<key>RegistrationToken</key>
<string>yoursecrettoken</string>
On Keycloak, go to Realm Settings, find the "Platform Single Sign-on" tab, and:
- enable "Require Registration Token" and
- fill out the Registration Token with the same token you have on your profile
Note: If Registration Token isn't required on Keycloak but one is sent anyway, the registration will fail. Either require Registration Token when your MDM has it configured, or disable the requirement.