Configure Passport with Okta in Iru Endpoint for macOS login and password synchronization. Set up the Okta app integration and authentication settings.
Passport with Okta enables users to log into Mac computers using their Okta credentials instead of separate local passwords. This integration streamlines authentication by connecting your Okta identity provider directly to macOS login.
Passport integrates with your Okta organization to authenticate users at the macOS login screen. When users enter their Okta credentials, Passport verifies them against your Okta tenant and creates or updates the local Mac user account accordingly.
When configuring the Passport Library Item, you need the Client ID and Identity provider URL. In Okta, the client identifier may be labeled Application ID. Use these steps to configure the OIDC app and collect the required information.
1
Access Applications
In your Okta Administrator Console, in the left menu pane, expand the Applications section and select Applications.
2
Create App Integration
Click Create App Integration.
3
Select Sign-in method
For Sign-in method, select OIDC - OpenID Connect.
4
Select Application Type
For Application Type, select Native Application.
5
Continue to next step
Click Next.
6
Enter app name
In the App integration name field, enter a name such as Iru Passport.
7
Configure Grant type
In the Grant type section, confirm that the checkbox for Refresh Token is deselected. This option must be turned off to ensure that Passport prompts users to update their Mac password while logged in if their Okta password changes.
The Store user password setting in the Passport Library Item needs to be set to Securely store password for users to receive the password update prompt.
8
Access Advanced options when using OIE
If you’re using Okta Identity Engine, click Advanced to show additional options.
9
Select Resource Owner Password
In the Other grants section, select the checkbox for Resource Owner Password.
If your Okta instance hasn’t yet been updated from Classic to Okta Identity Engine, also referred to as OIE, the Interaction Code grant type and other options will not be displayed.
10
Add redirect URI
In the Sign-in redirect URIs section, click Add URI.
11
Enter redirect URI
In the new field that appears, enter the following:
https://localhost.redirect
The same Sign-in redirect URI must be used in the Passport Library Item in the Redirect URI field in the Authentication mode section.
12
Configure assignments
In the Assignments section, select whether to assign the app integration to everyone in your org, only to selected groups, or skip assignment until after app creation.
Open a secure text document that you can use to store values for this OIDC app. You will need these details when you configure the Passport Library Item.
2
Copy Client ID
In the General tab of the OIDC application you just created, on the right side of the Client ID field, click the copy icon that looks like a clipboard.
3
Store Client ID
Paste the value into your secure text document.
4
Copy Identity provider URL formula
Copy the formula for your Identity provider URL from the following text:
Expand the Security section from the left-hand navigation.
2
Open Authenticators
Click Authenticators.
3
Verify MFA methods
Ensure that at least one multifactor authentication method, such as Okta Verify, is listed.
4
Add authenticator when needed
If no multifactor method is listed, click the Add authenticator button.
5
Select authenticator
Click the Add button below each authenticator you need.
6
Complete setup
Complete any additional steps for the authenticator.
7
Confirm addition
Click Add.
Okta Global Session Policy
1
Access Security section
Expand the Security section from the left-hand navigation.
2
Open Global Session Policy
Click Global Session Policy.
3
Create or edit policy
Click Add policy to create a new policy, or to edit the existing Default Policy, continue to the next step.
4
Edit existing Default Policy
To edit the existing Default Policy, click the pencil icon in the Actions column for the Default Rule.
5
Set MFA requirement
Set multifactor authentication to Required.
6
Set MFA prompt frequency
Set Users will be prompted for MFA to At every sign in.
7
Save policy
Scroll down and click Update rule or Create rule.
Authentication Policies
1
Access Security section
Expand the Security section from the left-hand navigation.
2
Open Authentication Policies
Click Authentication Policies.
3
Access Applications
Click Applications.
4
Switch policy for Passport
Click Switch policy next to your Iru Passport application.
5
Select Password only policy
Select Password only for the Use this policy for Iru Passport policy.
6
Save policy
Click Save.
Classic Engine
Okta MFA Settings
1
Access Security section
Expand the Security section from the left-hand navigation.
2
Open Authentication
Click Authentication.
3
Access Sign On
Click Sign On.
4
Add new policy
Click Add New Okta Sign-on Policy.
5
Configure policy details
Enter a Policy name similar to MFA Required.
6
Add policy description
Enter a Policy Description.
7
Select groups
Select the groups that will be assigned to this MFA requirement.
8
Create policy
Click Create policy and add rule.
9
Enter rule name
Enter the Rule name.
10
Set MFA requirement
Select Required for multifactor authentication.
11
Set MFA frequency
Select At every sign in for the Users will be prompted for MFA setting.
12
Create rule
Click Create rule at the bottom of the window.
Switch to the Iru Endpoint tab and work through the Passport Library Item steps there. Start at the top of that tab. When you are done, return to this tab and continue with Configure the Group Claim Filter in Okta below.
In your Passport OIDC application, configure the Groups claim filter so Okta sends the group claims Passport expects. This article uses names starting with Mac- as an example.
1
Access Applications
In your Okta Administrator Console, in the left menu pane, expand the Applications section if necessary, then select Applications.
2
Select Passport application
Select the Iru Passport application that you previously created.
3
Open Sign On tab
Click the Sign On tab.
4
Edit ID Token
In the OpenID Connect ID Token section, click Edit.
5
Configure Groups claim filter
In the Groups claim filter section, leave the default value: groups.
6
Set filter condition
Leave the middle field at the default: Starts with.
7
Enter group prefix
In the right-most field, enter Mac if the Okta groups you use or will use start with Mac.
8
Save configuration
Click Save.
If you have not already, use Configure the Passport Library Item to add the Passport Library Item and basic settings. The steps below are the Iru Endpoint configuration specific to Okta Passport.
Set Authentication mode in the Passport Library Item to match how users sign in with Okta. Use Web Login when MFA applies, and Mac Login when it does not.Complete the steps below first, using the values you collected on the Okta tab. Then follow Web Login or Mac Login.
1
Select Okta identity provider
In the Passport Library Item, set Identity provider to Okta.
2
Enter Identity provider URL
In the Identity provider URL field, enter your Okta OIDC well-known configuration URL from the Okta tab. It follows this pattern:
If you are not using MFA with Passport, use Mac Login as the authentication mode. Users sign in with their Okta password at the Mac login window without the Web Login MFA flow.
If you want Passport to set each user’s Mac account type from Okta group membership, use the User provisioning steps below on the Passport Library Item Iru Endpoint tab. The groups you use in Okta do not have to start with Mac-, but the example groups in this article use that prefix.
1
Configure user account type
In the Passport Library Item, click the User account type menu in the User provisioning section and select Specify per identity provider group.
2
Choose fallback account type
With User account type set to Specify per identity provider group, open the account type drop-down below it and select Administrator or Standard user. If a user’s IdP group membership returns both Administrator and Standard account types, the user is designated an Administrator.
3
Enter group names
In the Identity provider group fields, enter your Okta group names. This article uses groups that start with Mac- as an example.
4
Set account types
For each Identity provider group row, set the Account type as appropriate.
When User provisioning and related saves are complete in the Passport Library Item, switch back to the Okta tab and complete Configure the Group Claim Filter in Okta if you have not already. Start at the top of that tab if you need the full flow.
