Passport Configuration with Okta

Create an OpenID Connect (OIDC) application in Okta for use in configuring Kandji Passport.

  1. Navigate to the Applications section on the left-hand menu pane in your Okta Administrator Console and select Applications.
  2. Click Create App Integration.

    app-integration

  3. For Sign-in Method, select OIDC - OpenID Connect.
  4. For Application Type, select Native Application and click Next.

    native application
  5. Provide an App Integration Name such as Kandji Passport.
  6. Under Grant Type, select Resource Owner Password to enable it.
    Deselect Refresh Token (default) to ensure Passport prompts users to update their Mac passwords while logged in if their identity provider password changes.
  7. Under Assignments, select the desired Controlled Access setting and click Save.

    deselect refresh token
  8. In the General tab of the Application you just created, note the Client ID.
  9. In the General tab of the Application, you just created, note the Okta domain.

    Client ID

  10. The Identity provider URL for Okta will be https://{yourOktaDomain}/.well-known/openid-configuration
  11. When configuring the Passport library item, you need the Client ID (Application ID) and Identity provider URL.

You do not need a custom Sign-On Policy Rule, but if you add one, ensure MFA is disabled.

With the Okta configuration complete, assign the app to the users using Passport to sign in to their Mac systems, and go to the Kandji web app to configure the Passport library item.

User Provisioning

If you plan to utilize the Group information in Okta to determine the user account type, you’ll need to select Specified per identity provider group under User Account Type within the User Provisioning section of the Passport library item. You’ll also need to configure the Group claim filter within the Passport OIDC application in Okta to start with Mac-.

identity provider group

  1. Navigate to the Applications section on the left-hand menu pane in your Okta Administrator Console and select Applications.

  2. Select your Kandji Passport application that you previously created.

  3. Go to the Sign On tab and click Edit in the OpenID Connect ID Token section.
    OpenID Connect ID Token

  4. In the Group claims filter section, leave the default name groups, and then add the appropriate filter. For example, Starts With and Mac if the groups you use in Passport all start with Mac.
    group claims filter

  5. Click Save.