Apple's single sign-on (SSO) extension for macOS provides two main benefits for end users:

1. It keeps Mac login passwords synced with WCER (Active Directory) account passwords, meaning fewer passwords to remember, and making password changes easier, while also helping to reduce login keychain problems.
2. With SSO active, accessing WCER network shares is simplified as it does not require re-entering WCER credentials, hence the name "single sign-on".

Initial setup of the SSO extension requires the Mac to either be on a wired connection in a School of Education space, such as the Education Sciences building, or be connected to the GlobalProtect departmental VPN if connecting via WiFi from any location whether on campus or off campus.

The first time you log in to the Mac after the SSO extension is installed, a sign-in window will open automatically.
You may also click on the key-shaped SSO icon in the top menu bar and select Sign In to bring up the window.

Enter your WCER username in the Username field and your WCER password in the Password field, and click the Sign In button.

A new window will prompt for your Active Directory and Mac passwords, to verify that they match.
NOTE: Your WCER password is your Active Directory password.
Once entered, click on the Sync Password button.

If the passwords don't match, the extension will sync them by changing your Mac password to match your WCER password.
Regardless, you will see the window shown below:

IMPORTANT: This section is only relevant to users who are currently involved in the process of migrating from WCER/SoE Active Directory to UW's Campus Active Directory.

In order to be configured, the SSO Extension requires the Mac to either be on a wired connection in a School of Education space, such as the Education Sciences building or to be connected to the GlobalProtect VPN if connecting via WiFi from any location on campus or off campus.

The first time you log in to the Mac after the SSO extension is configured to use Campus Active Directory, you should be prompted to sign into AD.WISC.EDU.


You may also click on the key-shaped SSO icon in the top menu bar and Sign In if it does not.
NOTE: If you do not see the key-shaped SSO icon in your Mac's menu bar, email Research IT, and we will get your Mac ready for the migration.


Enter your NetID username and password, and click the Sign in button.

A new window will prompt you for your Active Directory and Mac passwords, to verify that they match. NOTE: Your NetID password is your Active Directory password.
Once entered, click on the Sync Password button.

If the passwords don't match, the extension will sync them by changing your Mac password to match your NetID password.
Once completed, you will see the window shown below:

If you click on the SSO Extension in the menu bar, you will now see that you are signed in as [yourNetID]@ad.wisc.edu

When you return from an offline or off-campus state (for example, the VPN was disconnected, or the Ethernet cable was unplugged) to an on-campus state, the SSO extension should automatically reconnect, but if it does not, click on the key-shaped SSO icon in the top menu bar and select Reconnect.

Users may change their WCER/SoE domain password from the SSO Extension at anytime so long as they are signed in. Clicking on the key-shaped icon in the menu bar reveals not only how many days remain until the password expires, but also whether they are currently signed in.

TIP: If not signed-in the SSO Extension icon as well as the Change Password... menu selection will appear "grayed-out".

Select Change Password... from the key shaped SSO Extension menu bar icon.

Enter your current password in the Old Password text field. Enter your desired password in the New Password field, and repeat it in the Verify Password field, then click the Change Password button.

You will see a window confirming that the change was successful and the passwords are synced when completed. 

Apple's Kerberos single sign-on (SSO) extension for macOS allows users to seamlessly connect and authenticate to the WCER/SoE Active Directory, without the need for binding to the domain. Devices must be managed with an MDM solution in order to install the SSO extension configuration. UW-Madison has chosen Workspace ONE as its MDM solution and all Macs purchased or re-issued by WCER starting in late 2021 have Workspace ONE installed by default.

The SSO extension requires macOS 10.15 (Catalina) or higher. It replaces Apple Enterprise Connect which is not supported beyond macOS 11 (Big Sur).

For questions about the SSO Extension or assistance, please contact WCER Research IT.

Email Research IT: Replacing Enterprise Connect with macOS SSO Extension