Skip to main content
This guide applies to Mac computers
If you experience any issues with Passport & Okta, read through our Passport Troubleshooting with Okta article for more information.

About Passport with Okta

Passport with Okta enables users to log into Mac computers using their Okta credentials instead of separate local passwords. This integration streamlines authentication by connecting your Okta identity provider directly to macOS login.

How It Works

Passport integrates with your Okta organization to authenticate users at the macOS login screen. When users enter their Okta credentials, Passport verifies them against your Okta tenant and creates or updates the local Mac user account accordingly.

Okta Application Configuration

When configuring the Passport Library Item, you need the Client ID(Application ID) and Identity provider URL. Use these steps to configure the OIDC app and collect the required information.
1

Access Applications

In your Okta Administrator Console, in the left menu pane, expand the Applications section and select Applications.
2

Create App Integration

Click Create App Integration.
3

Select Sign-in method

For Sign-in method, select OIDC - OpenID Connect.
4

Select Application Type

For Application Type, select Native Application.
5

Continue to next step

Click Next.
6

Enter app name

In the App integration name field, enter a name such as Iru Passport.
7

Configure Grant type

In the Grant type section, confirm that the checkbox for Refresh Token is deselected. This option must be turned off to ensure that Passport prompts users to update their Mac password while logged in if their Okta password changes.
The Store user password setting in the Passport Library Item needs to be set to Securely store password for users to receive the password update prompt.
8

Access Advanced options (if using OIE)

If you’re using Okta Identity Engine, click Advanced to show additional options.
9

Select Resource Owner Password

In the Other grants section, select the checkbox for Resource Owner Password.
If your Okta instance hasn’t yet been updated from Classic to Okta Identity Engine (OIE), the Interaction Code grant type and other options, will not be displayed.
10

Add redirect URI

In the Sign-in redirect URIs section, click Add URI.
11

Enter redirect URI

In the new field that appears, enter the following:
https://localhost.redirect
The same Sign-in redirect URI must be used in the Passport Library Item in the Redirect URI field in the Authentication mode section.
12
13

Configure assignments

In the Assignments section, select whether to assign the app integration to everyone in your org, only selected group(s), or skip assignment until after app creation.
14
15

Save configuration

Click Save.

Collecting Configuration Details

1

Prepare secure document

Open a secure text document that you can use to store values for this OIDC app. You will need these details when you configure the Passport Library Item.
2

Copy Client ID

In the General tab of the OIDC application you just created, on the right side of the Client ID field, click the copy icon (looks like a clipboard).
3
4

Store Client ID

Paste the value into your secure text document.
5

Copy Identity provider URL formula

Copy the formula for your Identity provider URL from the following text:
https://yourOktaDomain/.well-known/openid-configuration
6

Store Identity provider URL

Paste the text into your secure text document.
7

Replace domain placeholder

In your secure text document, replace yourOktaDomain with your Okta domain.
You do not need a custom Sign-On Policy Rule, but if you add one, ensure MFA is disabled.
With the Okta configuration complete, assign the app to the users using Passport to sign in to their Mac systems, and go to the Iru Endpoint web app to configure the Passport library item.

Enable Multi-factor Authentication (MFA)

The MFA policy in Okta should be applied to Users or Groups, not to the Passport Application in Okta.
When using MFA with Passport, a few settings need to be modified in Okta, and in the Passport Library Item in your Iru Endpoint web app. Below are MFA instructions for Okta Identity Engine (OIE) and Classic Engine.

Okta Identity Engine

Okta Authenticators
1

Access Security section

Expand the Security section from the lefthand navigation.
2

Open Authenticators

Click Authenticators.
3

Verify MFA methods

Ensure that at least one multifactor authentication method, such as Okta Verify, is listed.
4

Add authenticator (if needed)

If no multifactor method is listed, click the Add authenticator button.
5
6

Select authenticator

Click the Add button below the authenticator(s) that are needed.
7
8

Complete setup

Complete any additional steps for the authenticator.
9

Confirm addition

Click Add.
Okta Global Session Policy
1

Access Security section

Expand the Security section from the lefthand navigation.
2

Open Global Session Policy

Click Global Session Policy.
3

Create or edit policy

Click Add policy, or click the pencil to edit the existing Default Policy.
4
5

Configure MFA requirement

Set Multifactor authentication (MFA) is to Required.
6

Set MFA prompt frequency

Set Users will be prompted for MFA to At every sign in.
7
8

Save policy

Scroll down and click Update rule or Create rule.
Authentication Policies
1

Access Security section

Expand the Security section from the lefthand navigation.
2

Open Authentication Policies

Click Authentication Policies.
3

Access Applications

Click Applications.
4

Switch policy for Passport

Click Switch policy next to your Iru Passport application.
5

Select Password only policy

Select Password only for the Use this policy for Iru Passport policy.
6

Save policy

Click Save.

Classic Engine

Okta MFA Settings
1

Access Security section

Expand the Security section from the lefthand navigation.
2

Open Authentication

Click Authentication.
3

Access Sign On

Click Sign On.
4

Add new policy

Click Add New Okta Sign-on Policy.
5
6

Configure policy details

Enter a Policy name similar to MFA Required.
7

Add policy description

Enter a Policy Description.
8

Select groups

Select the groups that will be assigned to this MFA requirement.
9

Create policy

Click Create policy and add rule.
10
11

Enter rule name

Enter the Rule name.
12

Set MFA requirement

Select Required for the Multifactor authentication (MFA) is setting.
13

Set MFA frequency

Select At every sign in for the Users will be prompted for MFA setting.
14
15

Create rule

Click Create rule at the bottom of the window.

Library Item Settings

1

Enable Web Login

Select the radio button next to Web Login in order to support multi-factor authentication (MFA).
2

Enter redirect URI

In the Redirect URI field, enter the following:
https://localhost.redirect
3
4

Save configuration

Click the Save button.

User Provisioning

Follow these steps if you plan to use the Group information in Okta to determine the user account type. The groups you use in Okta don’t have to start with *Mac-*but these steps use Mac- as an example.
1

Configure user account type

In the Passport Library Item, click the User account type menu in the User provisioning section and select Specified per identity provider group.
2

Select default account type

Select the Default account type from the drop-down.
3

Enter group names

In the Identity provider group fields, enter your Okta group names. This article uses groups that start with Mac- as an example.
4

Set account types

For each Identity provider group row, set the Account type as appropriate.
Next, In Okta, in your Passport OIDC application, use the following steps to configure the Group claim filter to start with Mac- as an example.
1

Access Applications

In your Okta Administrator Console, in the left menu pane, expand the Applications section if necessary, then select Applications.
2

Select Passport application

Select the Iru Passport application that you previously created.
3

Open Sign On tab

Click the Sign On tab.
4

Edit ID Token

In the OpenID Connect ID Token section, click Edit.
5
6

Configure Groups claim filter

In the Groups claim filter section, leave the default value: groups.
7

Set filter condition

Leave the middle field at the default: Starts with.
8

Enter group prefix

In the right-most field, enter Mac (assuming the Okta groups you use or will use start with Mac).
9
10

Save configuration

Click Save.

Troubleshooting Issues with Passport & Okta

If you experience any issues with Passport & Okta, read our Passport Troubleshooting with Okta article for additional information.