Xpsso Admin Guide

Items Required

1. Google Business Plus or similar
2. Any Mobile Device Management Service. Jamf Pro, Mosyle, and SimpleMDM have been verified to work.
3. A Mac or Linux machine to run the service, available on the internet (required by PSSO requirement for Associated Domains). Support for Windows Server is on the roadmap.
4. A registered DNS hostname (for example, xpsso.example.com)
5. A TLS certificate from a well known authority (for example, Let’s Encrypt)
6. A Mac enrolled in Apple Business Manager or Apple School Manager for Automated Device Enrollment
7. The Xpsso macOS app that provides an app extension for enabling PSSO
8. The Xpsso microservice for providing the machine trust and user authentication to the Google Cloud
9. A configuration profile for configuring the PSSO service and the Xpsso macOS app

Initial Setup

See the Quick Setup Guide.

Xpsso Microservice Options

Xpsso provides a service package file that installs a command line application that runs a web service on Mac or Linux. The command line tool does not exit and stays running to respond to requests. The Xpsso microservice gets its configuration through environment variables. The service can either be set up with TLS, or if you use a load balancer, it can be set up to listen on non-TLS if the load balancer handles TLS. For this document. PSSO requires the associated domain endpoint be accessible on the internet, so a certificate from a well-known certificate authority and requested DNS domain are required.

Xpsso Service Options

Required Options

The options below are required. Update the <DNS_HOST_NAME>, <YOUR_CLIENT_ID_FROM_OIDC>, <YOUR_CLIENT_SECRET_FROM_OIDC> in the items below.

PSSO_ISSUER=<DNS_HOST_NAME>
OIDCISSUER=https://accounts.google.com
PSSO_REDIRECT_URI=https://twocanoes.com/xcreds-redirect
PSSO_CLIENT_ID=<YOUR_CLIENT_ID_FROM_OIDC>
PSSO_SCOPE="profile openid"
PSSO_CLIENT_SECRET=<YOUR_CLIENT_SECRET_FROM_OIDC>

All Options

These environment variables can be set when running the Xpsso service.

• PSSO_ISSUER: The issuer is the DNS hostname used for the Xpsso microservice.
• OIDCISSUER: The issuer for the OIDC service. For Google Identity, it will be https://accounts.google.com.
• PSSO_REDIRECT_URI: This is the OIDC redirect defined in the OIDC app. The redirect URI is called at the end of OIDC authentication to signal the end of the authentication. The content is not shown. The Xpsso service detects the redirect and completes the authentication. It can be any URL as long as it matches the redirect URI in the app config. For example: https://twocanoes.com/xcreds-redirect.
• PSSO_CLIENT_ID: The client ID from the OIDC cloud service.
• PSSO_SCOPE: The OIDC claims (key value pairs) returned after authenticating to the cloud service. The claims “profile openid” are required for Google Identity to do an authentication.
• PSSO_CLIENT_SECRET: The client secret from the OIDC cloud service.
• USE_HTTPS: If set to true, a TLS private key and TLS certificate must be installed. See PSSO_TLSPRIVATEKEYPATH and PSSO_TLSCERTIFICATECHAINPATH for path options.
• PSSO_ADDRESS: The network address and port to listen on. By default, the Xpsso microservice will listen on port 443.
• PSSO_TLSPRIVATEKEYPATH: The path to the TLS private key. By default, it is /etc/psso/privkey.pem
• PSSO_TLSCERTIFICATECHAINPATH: The path to the TLS certificate chain. By default, it is /etc/psso/fullchain.pem.

MDM Setup

Setup with Mosyle

1. Set up the device to auto enroll and create an admin and standard user:
   
   
   
2. Install the PSSO profile during device enrollment:
   
   
3. Install the Xpsso app during Automated Device Enrollment (ADE):

Jamf Pro

1. Set up the MDM to Install the Xpsso app and configuration profile during PreStage Enrollment:
   

2. Set PreStage Enrollment to wait for the app to be installed before moving on using the “Enable Simplified Setup for Platform Single Sign-on”.
   

SimpleMDM

Set up the MDM to Install the Xpsso app and configuration profile during PreStage Enrollment: