This guide applies to Mac computers
If you experience any issues with Passport & OneLogin, read through our Passport Troubleshooting with OneLogin article for more information.
About Passport with OneLogin
Passport with OneLogin enables users to log into Mac computers using their OneLogin credentials. This integration provides secure authentication using your organization’s OneLogin identity system with support for both standard and multi-factor authentication.How It Works
Passport integrates with your OneLogin instance using OpenID Connect (OIDC) to authenticate users at the macOS login screen. The configuration varies depending on whether you use multi-factor authentication, requiring different OIDC applications for different authentication modes. The number of OIDC apps you need to create in OneLogin depends on the authentication mode your Passport library item uses.- If you do not use multi-factor authentication (MFA) with OneLogin, you need to configure only one OIDC app (for password sync).
- If you do use multi-factor authentication (MFA) with OneLogin, you need to create two apps: the app mentioned above, and an additional OIDC app for the Web Login authentication mode.
- Iru Passport Mac Login
- Iru Passport Web Login
According to the OneLogin support article Introduction to App Management, in order to add apps, you need to use a OneLogin account that is either a Super User or Account Owner.
If you already configured Passport for the first iteration of Iru Passport, you can go directly to the section: Configure an OIDC app for Iru Passport Web Login
Configure an OIDC App for Iru Passport Mac Login
Use these steps to configure the app that Passport will use to keep the Mac password in sync with the OneLogin password. This is required for both authentication modes (Mac Login and Web Login).1
Log in to OneLogin
Log in to OneLogin as an Account owner or Super user.
2
Navigate to Applications
In your OneLogin admin console, navigate to the Applications page.
3
Add new app
In the upper-right corner, click Add App.
4
Search for OIDC
In the search field in the upper-left corner, enter OIDC.
5
Select OpenID Connect
Select OpenId Connect (OIDC).
6
Configure app details
In the Display Name field, enter a descriptive name such as Iru Passport Mac Login.
7
Set visibility
Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
8
Save app
Click Save.
9
Access Configuration
In the left sidebar, click Configuration.
10
Enter redirect URI
In the Redirect URI’s field, enter the following:
Passport doesn’t require this value, but you cannot save the app configuration without some value in the Redirect URI’s field.
11
Access SSO settings
In the left sidebar, click SSO.
12
Set Application Type
Click the Application Type menu and select Native.
13
Set Token Endpoint
Click the Token Endpoint menu and select None (PKCE).
14
Save SSO configuration
Click Save.
Collecting Configuration Details
1
Prepare secure document
Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Issuer URL details when you configure the Passport library item (you don’t need the client secret).
2
Copy Client ID
To the right of the Client ID field, click the Copy to Clipboard button (looks like a clipboard).
3
Store Client ID
Paste the Client ID into the secure text document.
4
Copy Issuer URL
Right-click (or Control-click) the Well-known Configuration link and copy its value.
The Issuer URL contains the start of the well-known configuration for this OIDC app, which uses the following pattern:
5
Store Issuer URL
Paste the Issuer URL into the secure text document.
6
Save document
Save the secure text document.
7
Assign app to users
In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers.
Configure an OIDC App for Iru Passport Web Login
Configure the POST OIDC app that Passport uses to allow users to enter an additional factor of authentication when they log in to their Mac.1
Navigate to Applications
In your OneLogin admin console, navigate to the Applications page.
2
Add new app
In the upper-right corner, click Add App.
If the Add App button does not appear, it’s possible that you previously clicked See the new apps list. To make OneLogin display the Add App button, remove the string /admin2 from the URL. For example, instead of https://accuhive.onelogin.com/admin2/apps, use https://accuhive.onelogin.com/apps.
3
Search for OIDC
In the search field in the upper-left corner, enter OIDC.
4
Select OpenID Connect
Select OpenID Connect (OIDC).
5
Configure app details
In the Display Name field, enter a descriptive name such as Iru Passport Web Login.
6
Set visibility
Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
7
Save app
Click Save.
8
Access Configuration
In the left sidebar, click Configuration.
9
Enter redirect URI
In the Redirect URI’s field, enter the following:
10
Access SSO settings
In the left sidebar, click SSO.
11
Set Application Type
Click the Application Type menu and select Native.
12
Set Authentication Method
In the Token Endpoint section, click the Authentication Method menu and select POST.
13
Save SSO configuration
Click Save.
Collecting Web Login Configuration Details
1
Prepare secure document
Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Client Secret for this POST app when you configure the Passport library item. If you already have a secure document open from configuring the previous OIDC app, add a note that the new values are for the OIDC app for the Web Login authentication mode.
2
Copy Client ID
Copy the contents of the Client ID field.
3
Store Client ID
Paste the Client ID into the secure text document.
4
Show client secret
Click Show client secret.
5
Copy client secret
Copy the client secret.
6
Store client secret
Paste the client secret into the secure text document.
7
Save document
Save the secure document.
8
Assign app to users
In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers with the Passport library item with the authentication mode set to Web Login.
Configuring a User Account Type by Identity Provider Group in OneLogin
When configuring whether a user will be a standard user or an admin user, you will need to follow the step below.1
Access Roles
Log in to your OneLogin Console. Select Users > Roles.
2
3
Create new role
Select New Role on the top right of the screen, and name your role. (You will want to make sure your role name matches the IDP group name that you are using in your Iru Passport configuration). In this example, I used Passport Admin Users. Finally, select your Iru Passport app that you created in OneLogin and click Save, on the top right of the screen.
4
5
Configure app parameters
Next, navigate to the Iru Passport app that you created in OneLogin. Select the parameters link and click on the Groups field.
6
7
Set default value
In the “Default if no value selected” section, select User Roles from the drop down list and make sure Semicolon Delimited Input is selected. Click Save.
8
9
Assign users to role
Finally, make sure your users are part of the role that you are creating, as well as a member of the Iru Passport application in OneLogin. To add a user to a role, you will need to select Users>Roles>Passport Admin Users in my example, select the Users link, search for the user, click the blue check box, click the Add to Role link, and then click Save at the top right of the page.
With the OneLogin configuration complete, go to the Iru Endpoint web app to configure the Passport library item.