This is a Keycloak extension that makes it compliant with Apple Platform Single Sign-on for macOS.
- Provides device attestation so that only requests from enrolled macOS devices are accepted
- Allows revocation of user registration on GUI, both for users and administrators
- Keycloak 26.4 or newer
- Keycloak must use Postgresql or MariaDB for database. If you use something else, please open an issue and we will try to implement it. Or add the scheme yourself to the changelog files.
- Secure Enclave-only: this extension only implements the Secure Enclave authentication method.
- Fixed client: to use this extension, you need to create a client called psso. In the future we will make this configurable. The client needs to be public and it needs to include the
urn:apple:platformssoscope. - Revoke Refresh Token needs to be off: the refresh token is used for login, as it is used as an opaque token to authenticate and identify the user. In the future we might change this. This is the default option in Keycloak.
- No UI or API for managing devices: Currently, devices can only be enrolled. An API will be added for integration with MDMs so that the lifecycle of a device can include removing them from Keycloak.
Download the package - a jar file, and move it to the providers folder of your Keycloak installation.
Or build this with Maven:
$ mvn clean install
Device and user registrations require a valid Access Token from the user. Our companion SSO extension provides that authentication.
We also developed a companion SSO Extension called Weblogin SSO, which is a bit limited in certain situations.
You can check the SSO Extension here: https://github.com/unioslo/weblogin-mac-sso-extension
There is a small documentation on how to use this extension on the wiki section of this repo: https://github.com/unioslo/keycloak-psso-extension/wiki
You can also find a bit of explanation about the endpoints on this article: https://francisaugusto.com/2025/Platform_single_sign_on_diy/ . The purpose of this article is mostly to help developers on how to adapt our SSO Extension or this extension.
It would be very nice if other developers could join our efforts, especially when it comes to the SSO Extension and its processing of SAML flows. If you can and want to help, send PR’s our way or drop as a line on the #Keycloak channel at the MacAdmins Slack
Thanks to Timothy Perfitt from Twocanoes for the inspiration provided with their tutorials and code regarding SSO Extensions. His psso-server-go was particularly useful to understand a few concepts regarding user and device registration.