Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide applies to Mac computers

About Passport with OneLogin

Passport with OneLogin enables users to log into Mac computers using their OneLogin credentials. This integration provides secure authentication using your organization’s OneLogin identity system with support for both standard and multi-factor authentication.

How It Works

Passport integrates with your OneLogin instance using OpenID Connect (OIDC) to authenticate users at the macOS login screen. Whether you need MFA for Passport sign-in determines how many OIDC applications you create in OneLogin and whether you set Authentication mode to Web Login or Mac Login in the Passport Library Item.

Prerequisites

  • To add apps in OneLogin, use an account that is a Super User or Account Owner.

Configure an OIDC App

If you do not need MFA for Passport sign-in, set Authentication mode to Mac Login in the Passport Library Item and follow only the Mac Login section (skip Web Login).If you need MFA at sign-in, set Authentication mode to Web Login. You must create two OIDC apps in OneLogin: Mac Login first (sign-in and password sync to the Mac), then Web Login (MFA in the embedded web view). Follow the Mac Login section, then the Web Login section, in that order.

Mac Login

Create the Mac Login OIDC application in OneLogin. This article uses the display name Iru Passport Mac Login.Every deployment uses this app. With Mac Login as the authentication mode, it is the only OneLogin OIDC app you add in this guide. With Web Login (MFA), add this app first, then continue to Web Login.
1

Log in to OneLogin

Log in to OneLogin as an Account owner or Super user.
2

Navigate to Applications

In your OneLogin admin console, navigate to the Applications page.
3

Add new app

In the upper-right corner, click Add App.
4

Search for OIDC

In the search field in the upper-left corner, enter OIDC.
5

Select OpenID Connect

Select OpenID Connect (OIDC).
6

Configure app details

In the Display Name field, enter a descriptive name such as Iru Passport Mac Login.
7

Set visibility

Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
8

Save app

Click Save.
9

Access Configuration

In the left sidebar, click Configuration.
10

Enter redirect URI

In the Redirect URIs field, enter the following:
https://localhost.redirect
Passport doesn’t require this value, but you cannot save the app configuration without some value in the Redirect URIs field.
11

Access SSO settings

In the left sidebar, click SSO.
12

Set Application Type

Click the Application Type menu and select Native.
13

Set Token Endpoint

Click the Token Endpoint menu and select None (PKCE).
14

Save SSO configuration

Click Save.

Collecting configuration details for Mac Login

1

Prepare secure document

This OIDC app keeps the Mac password in sync with OneLogin. Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Issuer URL details when you configure the Passport Library Item (you don’t need the client secret).
2

Copy Client ID

To the right of the Client ID field, click the Copy to Clipboard button (looks like a clipboard).
3

Store Client ID

Paste the Client ID into the secure text document.
4

Copy Issuer URL

Right-click (or Control-click) the Well-known Configuration link and copy its value. The Issuer URL is your OIDC well-known configuration endpoint and follows this pattern:
https://{subdomain}.onelogin.com/oidc/2/.well-known/openid-configuration
5

Store Issuer URL

Paste the Issuer URL into the secure text document.
6

Save document

Save the secure text document.
7

Assign app to users

In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers.
If you are not using Web Login (no MFA), skip the Web Login section below, then continue with Configuring a User Account Type by Identity Provider Group in OneLogin if you need role-based account types, then open the Iru Endpoint tab.

Web Login

Use this section only when Authentication mode is Web Login (MFA). After you finish Mac Login, create the second OIDC app here. This article uses the display name Iru Passport Web Login.
1

Navigate to Applications

In your OneLogin admin console, navigate to the Applications page.
2

Add new app

In the upper-right corner, click Add App.
If the Add App button does not appear, it’s possible that you previously clicked See the new apps list. To make OneLogin display the Add App button, remove the string /admin2 from the URL. For example, instead of https://accuhive.onelogin.com/admin2/apps, use https://accuhive.onelogin.com/apps.
3

Search for OIDC

In the search field in the upper-left corner, enter OIDC.
4

Select OpenID Connect

Select OpenID Connect (OIDC).
5

Configure app details

In the Display Name field, enter a descriptive name such as Iru Passport Web Login.
6

Set visibility

Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
7

Save app

Click Save.
8

Access Configuration

In the left sidebar, click Configuration.
9

Enter redirect URI

In the Redirect URIs field, enter the following:
https://localhost.redirect
10

Access SSO settings

In the left sidebar, click SSO.
11

Set Application Type

Click the Application Type menu and select Native.
12

Set Authentication Method

In the Token Endpoint section, click the Authentication Method menu and select POST. POST is required so users can complete MFA in the web view at Mac sign-in.
13

Save SSO configuration

Click Save.

Collecting configuration details for Web Login

1

Prepare secure document

This OIDC app supplies the Web Login fields for the Passport Library Item. Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Client Secret for this POST app when you configure the Passport Library Item. If you already have a secure document from the Mac Login OIDC app, add a note that the new values are for the Web Login OIDC app.
2

Copy Client ID

Copy the contents of the Client ID field.
3

Store Client ID

Paste the Client ID into the secure text document.
4

Show client secret

Click Show client secret.
5

Copy client secret

Copy the client secret.
6

Store client secret

Paste the client secret into the secure text document.
7

Save document

Save the secure document.
8

Assign app to users

In OneLogin, assign the app to the users or groups who will sign in with Web Login (MFA).

Configuring a User Account Type by Identity Provider Group in OneLogin

Use this section when you map OneLogin roles to standard or administrator Mac accounts in Passport. It applies for both Mac Login (no MFA) and Web Login (MFA).When configuring whether a user will be a standard user or an admin user, follow the steps below.
1

Access Roles

Log in to your OneLogin Console. Select Users > Roles.
OneLogin Console Users and Roles section showing New Role option for Passport user account type
2

Create new role

Select New Role on the top right of the screen, and name your role. (You will want to make sure your role name matches the IDP group name that you are using in your Iru Passport configuration). In this example, the role is named Passport Admin Users. Finally, select your Iru Passport app that you created in OneLogin and click Save on the top right of the screen.
OneLogin New Role dialog showing role name and Iru Passport app selection with Save button
3

Configure app parameters

Next, navigate to the Iru Passport app that you created in OneLogin. Select the parameters link and click the Groups field.
OneLogin Iru Passport app parameters showing Groups field for role mapping
4

Set default value

In the “Default if no value selected” section, select User Roles from the drop down list and make sure Semicolon Delimited Input is selected. Click Save.
OneLogin Groups parameter configuration showing Default if no value selected with User Roles and Semicolon Delimited Input
5

Assign users to role

Finally, make sure your users are part of the role that you are creating, as well as a member of the Iru Passport application in OneLogin. To add a user to a role, select Users > Roles > your role name (for example, Passport Admin Users), select the Users link, search for the user, click the blue check box, click the Add to Role link, and then click Save at the top right of the page.
OneLogin Users and Roles showing Add to Role link for assigning users to Passport role
When OIDC apps and roles in OneLogin match what you need, open the Iru Endpoint tab to enter values in the Passport Library Item. On that tab, User provisioning includes an example when a OneLogin role supplies the administrator group name.
If you experience any issues with Passport and OneLogin, read Passport Troubleshooting with OneLogin.