Skip to main content
This guide applies to Mac computers
If you experience any issues with Passport & OneLogin, read through our Passport Troubleshooting with OneLogin article for more information.

About Passport with OneLogin

Passport with OneLogin enables users to log into Mac computers using their OneLogin credentials. This integration provides secure authentication using your organization’s OneLogin identity system with support for both standard and multi-factor authentication.

How It Works

Passport integrates with your OneLogin instance using OpenID Connect (OIDC) to authenticate users at the macOS login screen. The configuration varies depending on whether you use multi-factor authentication, requiring different OIDC applications for different authentication modes. The number of OIDC apps you need to create in OneLogin depends on the authentication mode your Passport library item uses.
  • If you do not use multi-factor authentication (MFA) with OneLogin, you need to configure only one OIDC app (for password sync).
  • If you do use multi-factor authentication (MFA) with OneLogin, you need to create two apps: the app mentioned above, and an additional OIDC app for the Web Login authentication mode.
The number of OIDC apps you need to create in OneLogin depends on the authentication mode your Passport library item uses. Use these steps to configure the app that Passport will use to keep the Mac password in sync with the OneLogin password. This is required for both authentication modes (Mac Login and Web Login). You can assign whatever names you like for the OIDC apps you create; our documentation uses the following names:
  • Iru Passport Mac Login
  • Iru Passport Web Login
According to the OneLogin support article Introduction to App Management, in order to add apps, you need to use a OneLogin account that is either a Super User or Account Owner.
If you already configured Passport for the first iteration of Iru Passport, you can go directly to the section: Configure an OIDC app for Iru Passport Web Login

Configure an OIDC App for Iru Passport Mac Login

Use these steps to configure the app that Passport will use to keep the Mac password in sync with the OneLogin password. This is required for both authentication modes (Mac Login and Web Login).
1

Log in to OneLogin

Log in to OneLogin as an Account owner or Super user.
2

Navigate to Applications

In your OneLogin admin console, navigate to the Applications page.
3

Add new app

In the upper-right corner, click Add App.
4

Search for OIDC

In the search field in the upper-left corner, enter OIDC.
5

Select OpenID Connect

Select OpenId Connect (OIDC).
6

Configure app details

In the Display Name field, enter a descriptive name such as Iru Passport Mac Login.
7

Set visibility

Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
8

Save app

Click Save.
9

Access Configuration

In the left sidebar, click Configuration.
10

Enter redirect URI

In the Redirect URI’s field, enter the following:
https://localhost.redirect
Passport doesn’t require this value, but you cannot save the app configuration without some value in the Redirect URI’s field.
11

Access SSO settings

In the left sidebar, click SSO.
12

Set Application Type

Click the Application Type menu and select Native.
13

Set Token Endpoint

Click the Token Endpoint menu and select None (PKCE).
14

Save SSO configuration

Click Save.

Collecting Configuration Details

1

Prepare secure document

Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Issuer URL details when you configure the Passport library item (you don’t need the client secret).
2

Copy Client ID

To the right of the Client ID field, click the Copy to Clipboard button (looks like a clipboard).
3

Store Client ID

Paste the Client ID into the secure text document.
4

Copy Issuer URL

Right-click (or Control-click) the Well-known Configuration link and copy its value.
The Issuer URL contains the start of the well-known configuration for this OIDC app, which uses the following pattern:
https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration
5

Store Issuer URL

Paste the Issuer URL into the secure text document.
6

Save document

Save the secure text document.
7

Assign app to users

In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers.
If you are using Iru Passport Web Login, continue with the next section. Otherwise, if you’re not using Iru Passport Web Login, go to the Iru Endpoint web app to configure the Passport library item.

Configure an OIDC App for Iru Passport Web Login

Configure the POST OIDC app that Passport uses to allow users to enter an additional factor of authentication when they log in to their Mac.
1

Navigate to Applications

In your OneLogin admin console, navigate to the Applications page.
2

Add new app

In the upper-right corner, click Add App.
If the Add App button does not appear, it’s possible that you previously clicked See the new apps list. To make OneLogin display the Add App button, remove the string /admin2 from the URL. For example, instead of https://accuhive.onelogin.com/admin2/apps, use https://accuhive.onelogin.com/apps.
3

Search for OIDC

In the search field in the upper-left corner, enter OIDC.
4

Select OpenID Connect

Select OpenID Connect (OIDC).
5

Configure app details

In the Display Name field, enter a descriptive name such as Iru Passport Web Login.
6

Set visibility

Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
7

Save app

Click Save.
8

Access Configuration

In the left sidebar, click Configuration.
9

Enter redirect URI

In the Redirect URI’s field, enter the following:
https://localhost.redirect
10

Access SSO settings

In the left sidebar, click SSO.
11

Set Application Type

Click the Application Type menu and select Native.
12

Set Authentication Method

In the Token Endpoint section, click the Authentication Method menu and select POST.
13

Save SSO configuration

Click Save.

Collecting Web Login Configuration Details

1

Prepare secure document

Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Client Secret for this POST app when you configure the Passport library item. If you already have a secure document open from configuring the previous OIDC app, add a note that the new values are for the OIDC app for the Web Login authentication mode.
2

Copy Client ID

Copy the contents of the Client ID field.
3

Store Client ID

Paste the Client ID into the secure text document.
4

Show client secret

Click Show client secret.
5

Copy client secret

Copy the client secret.
6

Store client secret

Paste the client secret into the secure text document.
7

Save document

Save the secure document.
8

Assign app to users

In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers with the Passport library item with the authentication mode set to Web Login.

Configuring a User Account Type by Identity Provider Group in OneLogin

When configuring whether a user will be a standard user or an admin user, you will need to follow the step below.
1

Access Roles

Log in to your OneLogin Console. Select Users > Roles.
2
3

Create new role

Select New Role on the top right of the screen, and name your role. (You will want to make sure your role name matches the IDP group name that you are using in your Iru Passport configuration). In this example, I used Passport Admin Users. Finally, select your Iru Passport app that you created in OneLogin and click Save, on the top right of the screen.
4
5

Configure app parameters

Next, navigate to the Iru Passport app that you created in OneLogin. Select the parameters link and click on the Groups field.
6
7

Set default value

In the “Default if no value selected” section, select User Roles from the drop down list and make sure Semicolon Delimited Input is selected. Click Save.
8
9

Assign users to role

Finally, make sure your users are part of the role that you are creating, as well as a member of the Iru Passport application in OneLogin. To add a user to a role, you will need to select Users>Roles>Passport Admin Users in my example, select the Users link, search for the user, click the blue check box, click the Add to Role link, and then click Save at the top right of the page.
This is what your passport library item should look like if you are using the role, created above, to create admin users.
With the OneLogin configuration complete, go to the Iru Endpoint web app to configure the Passport library item.

Troubleshooting Issues with Passport & OneLogin

If you experience any issues with Passport & OneLogin, read through our Passport Troubleshooting with OneLogin article for additional information.