Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide applies to Mac computers

About Passport Troubleshooting with OneLogin

Passport troubleshooting with OneLogin involves resolving authentication issues that occur when using Passport with OneLogin as your Identity Provider (IdP). This guide helps identify and resolve common configuration and authentication problems specific to OneLogin integration.

How It Works

When Passport authentication issues occur with OneLogin, troubleshooting involves checking OneLogin application settings, verifying OIDC configuration, examining authentication flows, and resolving configuration mismatches between Passport and your OneLogin tenant.

Login, Diagnostics, and Network

Sign in with the full email address

At the Passport login window, always enter the user’s full email address in the username field so the session uses your IdP instead of local authentication. For how the login window and visibility settings interact with Passport, see Passport Compatibility.

Use Passport Diagnostics

If a user cannot sign in, open Iru Endpoint Passport Diagnostics with Command-Shift-K-L on the Mac. The panel surfaces useful detail, including error messages returned from your IdP.

Confirm network connectivity

Passport must reach OneLogin to validate credentials. When you customize the Passport login window, enable the network manager so users can join Wi-Fi if needed. The control respects AirPort security settings in macOS.

Wi-Fi limits and isolation testing

Passport shows a Wi-Fi icon at the upper-right of the login window; users can click it to join a password-protected network. Passport does not support captive portals, click-through acceptance pages, or enterprise 802.1X networks that require a separate username and password in that flow. To isolate network issues, try a mobile hotspot or wired Ethernet while testing at the Passport login window.

Common OneLogin errors

What you see:Error: Couldn’t communicate with helper application (OneLogin)What to do:
  • Confirm the Issuer URL in Iru Endpoint matches your OneLogin OIDC well-known endpoint. It should follow this pattern:
https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration
What you see:Error: Unauthorized, MFA is required for this user (OneLogin)What it means:The user is likely affected by a User policy rather than an App policy.What to do:
  • Use an App policy for MFA so the user is prompted when accessing apps assigned in OneLogin, and do not rely on MFA enforced only on the User policy. This may affect MFA in other areas, such as accessing the OneLogin portal. OneLogin does not have a way to separate a User policy MFA requirement for the OIDC ROPG flow.
  • See OneLogin’s App Policies article.
For setup steps, see Passport Configuration with OneLogin.