{"id":46551714,"url":"https://github.com/unioslo/keycloak-psso-extension","last_synced_at":"2026-03-07T03:32:17.006Z","repository":{"id":321797829,"uuid":"1085165858","full_name":"unioslo/keycloak-psso-extension","owner":"unioslo","description":"This is a Keycloak extension to provide compatibility with macOS Platform Single Sign-on","archived":false,"fork":false,"pushed_at":"2026-02-23T14:04:52.000Z","size":145,"stargazers_count":21,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-23T22:14:32.875Z","etag":null,"topics":["apple","keycloak","macos","mdm","platform-single-sign-on","sso"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unioslo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-28T17:09:48.000Z","updated_at":"2026-02-23T14:04:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/unioslo/keycloak-psso-extension","commit_stats":null,"previous_names":["unioslo/keycloak-psso-extension"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/unioslo/keycloak-psso-extension","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unioslo%2Fkeycloak-psso-extension","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unioslo%2Fkeycloak-psso-extension/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unioslo%2Fkeycloak-psso-extension/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unioslo%2Fkeycloak-psso-extension/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unioslo","download_url":"https://codeload.github.com/unioslo/keycloak-psso-extension/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unioslo%2Fkeycloak-psso-extension/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30206574,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T03:24:23.086Z","status":"ssl_error","status_checked_at":"2026-03-07T03:23:11.444Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apple","keycloak","macos","mdm","platform-single-sign-on","sso"],"created_at":"2026-03-07T03:32:16.272Z","updated_at":"2026-03-07T03:32:16.943Z","avatar_url":"https://github.com/unioslo.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Keycloak Platform Single Sign-on Extension\n\nThis is a Keycloak extension that makes it compliant with [Apple Platform Single Sign-on for macOS](https://support.apple.com/en-ca/guide/deployment/dep7bbb05313/web).\n\n## Features\n\n- Provides device attestation so that only requests from enrolled macOS devices are accepted\n- Allows revocation of user registration on GUI, both for users and administrators\n\n![User registration is trated as a credential on Keycloak. The user (and administrators) can see and managem them.](https://github.com/user-attachments/assets/8d94bd8c-66a2-4cd3-ba9e-6f29a0254e54)\n\n\n## Requirements\n\n- Keycloak 26.5 or newer\n- Keycloak must use Postgresql or MariaDB for database. If you use something else, \nplease open an issue and we will try to implement it. Or add the scheme yourself to the changelog files.\n- The \"Declarative-ui\" feature of Keycloak needs to be enabled\n\n## Known limitations\n\n- **Secure Enclave-only**: this extension only implements the Secure Enclave authentication method. \n- **Fixed client**: to use this extension, you need to create a client called _psso_. In the future we will make this configurable. The client needs to be public and it needs to include the `urn:apple:platformsso` scope.\n- **Revoke Refresh Token needs to be off**: the refresh token is used for login, as it is used as an opaque token to authenticate and identify the user. In the future we might change this. This is the default option in Keycloak.\n- **No UI or API for managing devices**: Currently, devices can only be enrolled. An API will be added for integration with MDMs so that the lifecycle of a device can include removing them from Keycloak.\n\n## How to use it\n\nDownload the package - a _jar_ file, and move it to the _providers_ folder of your Keycloak installation.\n\nOr build this with Maven:\n\n```\n$ mvn clean install\n```\nDevice and user registrations require a valid Access Token from the user. Our companion SSO extension provides that authentication.\n\n\n## Companion SSO Extension: Weblogin SSO\n\nWe also developed a companion SSO Extension called _Weblogin SSO_, which is a bit limited in certain situations. \n\nYou can check the SSO Extension here: https://github.com/unioslo/weblogin-mac-sso-extension\n\n\n## Documentation\n\nThere is a small documentation on how to use this extension on \nthe wiki section of this repo: https://github.com/unioslo/keycloak-psso-extension/wiki\n\nYou can also find a bit of explanation about the endpoints \non this article: https://francisaugusto.com/2025/Platform_single_sign_on_diy/ .\nThe purpose of this article is mostly to help developers on how to adapt our SSO Extension or this extension.\n\n\n## Discussions\n\nIt would be very nice if other developers could join our efforts, especially when it comes to the SSO Extension and its processing of SAML flows. If you can and want to help, send PR’s our way or drop as a line on the #Keycloak channel at the MacAdmins [Slack](https://macadmins.slack.com/archives/C09UKEDGBEH) \n\n\n## Acknowledgement\n\nThanks to Timothy Perfitt from [Twocanoes](https://twocanoes.com) for the inspiration provided with their tutorials and code regarding SSO Extensions. His [psso-server-go](https://github.com/twocanoes/psso-server-go) was particularly useful to understand a few concepts regarding user and device registration.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funioslo%2Fkeycloak-psso-extension","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funioslo%2Fkeycloak-psso-extension","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funioslo%2Fkeycloak-psso-extension/lists"}