This guide applies to Mac computers
If you experience any issues with Passport & Okta, read through our Passport Troubleshooting with Okta article for more information.
About Passport with Okta
Passport with Okta enables users to log into Mac computers using their Okta credentials instead of separate local passwords. This integration streamlines authentication by connecting your Okta identity provider directly to macOS login.How It Works
Passport integrates with your Okta organization to authenticate users at the macOS login screen. When users enter their Okta credentials, Passport verifies them against your Okta tenant and creates or updates the local Mac user account accordingly.Okta Application Configuration
When configuring the Passport Library Item, you need the Client ID(Application ID) and Identity provider URL. Use these steps to configure the OIDC app and collect the required information.1
Access Applications
In your Okta Administrator Console, in the left menu pane, expand the Applications section and select Applications.
2
Create App Integration
Click Create App Integration.
3
Select Sign-in method
For Sign-in method, select OIDC - OpenID Connect.
4
Select Application Type
For Application Type, select Native Application.
5
Continue to next step
Click Next.
6
Enter app name
In the App integration name field, enter a name such as Iru Passport.
7
Configure Grant type
In the Grant type section, confirm that the checkbox for Refresh Token is deselected. This option must be turned off to ensure that Passport prompts users to update their Mac password while logged in if their Okta password changes.
The Store user password setting in the Passport Library Item needs to be set to Securely store password for users to receive the password update prompt.
8
Access Advanced options (if using OIE)
If you’re using Okta Identity Engine, click Advanced to show additional options.
9
Select Resource Owner Password
In the Other grants section, select the checkbox for Resource Owner Password.
If your Okta instance hasn’t yet been updated from Classic to Okta Identity Engine (OIE), the Interaction Code grant type and other options, will not be displayed.
10
Add redirect URI
In the Sign-in redirect URIs section, click Add URI.
11
Enter redirect URI
In the new field that appears, enter the following:
The same Sign-in redirect URI must be used in the Passport Library Item in the Redirect URI field in the Authentication mode section.
12
13
Configure assignments
In the Assignments section, select whether to assign the app integration to everyone in your org, only selected group(s), or skip assignment until after app creation.
14
15
Save configuration
Click Save.
Collecting Configuration Details
1
Prepare secure document
Open a secure text document that you can use to store values for this OIDC app. You will need these details when you configure the Passport Library Item.
2
Copy Client ID
In the General tab of the OIDC application you just created, on the right side of the Client ID field, click the copy icon (looks like a clipboard).
3
4
Store Client ID
Paste the value into your secure text document.
5
Copy Identity provider URL formula
Copy the formula for your Identity provider URL from the following text:
6
Store Identity provider URL
Paste the text into your secure text document.
7
Replace domain placeholder
In your secure text document, replace yourOktaDomain with your Okta domain.
You do not need a custom Sign-On Policy Rule, but if you add one, ensure MFA is disabled.
With the Okta configuration complete, assign the app to the users using Passport to sign in to their Mac systems, and go to the Iru Endpoint web app to configure the Passport library item.
Enable Multi-factor Authentication (MFA)
The MFA policy in Okta should be applied to Users or Groups, not to the Passport Application in Okta.
Okta Identity Engine
Okta Authenticators1
Access Security section
Expand the Security section from the lefthand navigation.
2
Open Authenticators
Click Authenticators.
3
Verify MFA methods
Ensure that at least one multifactor authentication method, such as Okta Verify, is listed.
4
Add authenticator (if needed)
If no multifactor method is listed, click the Add authenticator button.
5
6
Select authenticator
Click the Add button below the authenticator(s) that are needed.
7
8
Complete setup
Complete any additional steps for the authenticator.
9
Confirm addition
Click Add.
1
Access Security section
Expand the Security section from the lefthand navigation.
2
Open Global Session Policy
Click Global Session Policy.
3
Create or edit policy
Click Add policy, or click the pencil to edit the existing Default Policy.
4
5
Configure MFA requirement
Set Multifactor authentication (MFA) is to Required.
6
Set MFA prompt frequency
Set Users will be prompted for MFA to At every sign in.
7
8
Save policy
Scroll down and click Update rule or Create rule.
1
Access Security section
Expand the Security section from the lefthand navigation.
2
Open Authentication Policies
Click Authentication Policies.
3
Access Applications
Click Applications.
4
Switch policy for Passport
Click Switch policy next to your Iru Passport application.
5
Select Password only policy
Select Password only for the Use this policy for Iru Passport policy.
6
Save policy
Click Save.
Classic Engine
Okta MFA Settings1
Access Security section
Expand the Security section from the lefthand navigation.
2
Open Authentication
Click Authentication.
3
Access Sign On
Click Sign On.
4
Add new policy
Click Add New Okta Sign-on Policy.
5
6
Configure policy details
Enter a Policy name similar to MFA Required.
7
Add policy description
Enter a Policy Description.
8
Select groups
Select the groups that will be assigned to this MFA requirement.
9
Create policy
Click Create policy and add rule.
10
11
Enter rule name
Enter the Rule name.
12
Set MFA requirement
Select Required for the Multifactor authentication (MFA) is setting.
13
Set MFA frequency
Select At every sign in for the Users will be prompted for MFA setting.
14
15
Create rule
Click Create rule at the bottom of the window.
Library Item Settings
1
Enable Web Login
Select the radio button next to Web Login in order to support multi-factor authentication (MFA).
2
Enter redirect URI
In the Redirect URI field, enter the following:
3
4
Save configuration
Click the Save button.
User Provisioning
Follow these steps if you plan to use the Group information in Okta to determine the user account type. The groups you use in Okta don’t have to start with *Mac-*but these steps use Mac- as an example.1
Configure user account type
In the Passport Library Item, click the User account type menu in the User provisioning section and select Specified per identity provider group.
2
Select default account type
Select the Default account type from the drop-down.
3
Enter group names
In the Identity provider group fields, enter your Okta group names. This article uses groups that start with Mac- as an example.
4
Set account types
For each Identity provider group row, set the Account type as appropriate.
1
Access Applications
In your Okta Administrator Console, in the left menu pane, expand the Applications section if necessary, then select Applications.
2
Select Passport application
Select the Iru Passport application that you previously created.
3
Open Sign On tab
Click the Sign On tab.
4
Edit ID Token
In the OpenID Connect ID Token section, click Edit.
5
6
Configure Groups claim filter
In the Groups claim filter section, leave the default value: groups.
7
Set filter condition
Leave the middle field at the default: Starts with.
8
Enter group prefix
In the right-most field, enter Mac (assuming the Okta groups you use or will use start with Mac).
9
10
Save configuration
Click Save.