Create an OpenID Connect (OIDC) application in Okta for use in configuring Kandji Passport
If you experience any issues with Passport & Okta, read through our Passport Troubleshooting with Okta article for more information.
When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.
When configuring the Passport library item, you need the Client ID (Application ID) and Identity provider URL. Use these steps to configure the OIDC app and collect the required information.
- In your Okta Administrator Console, in the left menu pane, expand the Applications section and select Applications.
- Click Create App Integration.
- For Sign-in Method, select OIDC - OpenID Connect.
- For Application Type, select Native Application.
- Click Next.
- In the App integration name field, enter a name such as Kandji Passport.
- In the Grant type section, confirm that the checkbox for Refresh Token is deselected. This option must be turned off to ensure that Passport prompts users to update their Mac password while logged in if their Okta password changes.
Note: The Store user password setting in the Passport Library Item needs to be set to Securely store password in order for users to receieve the password update prompts.
- In the Grant type section, select the checkbox for Resource Owner Password.
Note: If your Okta instance hasn’t yet been updated from Classic to Okta Identity Engine (OIE), the Interaction Code grant type (as displayed in the following figure) will not be displayed.
- In the Sign-in redirect URIs section, click Add URI.
- In the new field that appears, enter the following:
The same Sign-in redirect URI must be used in the Passport Library Item in the Redirect URI field in the Authentication mode section.
- In the Assignments section, select whether to assign the app integration to everyone in your org, only selected group(s), or skip assignment until after app creation.
- Click Save.
- Open a secure text document that you can use to store values for this OIDC app. You will need these details when you configure the Passport Library Item.
- In the General tab of the OIDC application you just created, on the right side of the Client ID field, click the copy icon (looks like a clipboard).
- Paste the value into your secure text document.
- Copy the formula for your Identity provider URL from the following text:
- Paste the text into your secure text document.
- In your secure text document, replace yourOktaDomain with your Okta domain.
You do not need a custom Sign-On Policy Rule, but if you add one, ensure MFA is disabled.
With the Okta configuration complete, assign the app to the users using Passport to sign in to their Mac systems, and go to the Kandji web app to configure the Passport library item.
If you plan to use the Group information in Okta to determine the user account type, start with the following steps. The groups you use in Okta don't have to start with Mac- but these steps use Mac- as an example.
- In the Passport library item, in the User provisioning section, click the User account type menu and select Specified per identity provider group.
- In the Identity provider group fields, enter your Okta group names. This article uses groups that start with Mac- as an example.
- For each Identity provider group row, set the Account type as appropriate.
Next, In Okta, in your Passport OIDC application, use the following steps to configure the Group claim filter to start with Mac- as an example.
In your Okta Administrator Console, in the left menu pane, expand the Applications section if necessary, then select Applications.
Select your Kandji Passport application that you previously created.
Click the Sign On tab.
In the OpenID Connect ID Token section, click Edit.
In the Group claims filter section, leave the default value: groups.
Leave the middle field at the default: Starts with.
In the right-most field, enter Mac (assuming the Okta groups you use or will use start with Mac).
- Click Save.
Troubleshooting Issues with Passport & Okta
If you experience any issues with Passport & Okta, read through our Passport Troubleshooting with Okta article for additional information.