Passport Configuration with OneLogin

By Corey Willis

Create an OpenID Connect (OIDC) application in OneLogin for use in configuring Passport

The number of OIDC apps you need to create in OneLogin depends on the authentication mode your Passport library item uses.

  • If you do not use multi-factor authentication (MFA) with OneLogin, you need to configure only one OIDC app (for password sync). 
  • If you do use multi-factor authentication (MFA) with OneLogin, you need to create two apps: the app mentioned above, and an additional OIDC app for the Web Login authentication mode.

You can assign whatever names you like for the OIDC apps you create; our documentation uses the following names:

  • Kandji Passport Mac Login
  • Kandji Passport Web Login
According to the OneLogin support article Introduction to App Management, in order to add apps, you need to use a OneLogin account that is either a Super User or Account Owner.
If you already configured Passport for the first iteration of Kandji Passport, you can go directly to the section: Configure an OIDC app for Kandji Passport Web Login


Configure an OIDC App for Kandji Passport Mac Login

Use these steps to configure the app that Passport will use to keep the Mac password in sync with the OneLogin password. This is required for both authentication modes (Mac Login and Web Login).

  1. Log in to OneLogin as an Account owner or Super user.
  2. In your OneLogin admin console, navigate to the Applications page.
  3. In the upper-right corner, click Add App
  4. In the search field in the upper-left corner, enter OIDC.
  5. Select OpenId Connect (OIDC)
  6. In the Display Name field, enter a descriptive name such as Kandji Passport Mac Login.
  7. Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal.
  8. Click Save
  9. In the left sidebar, click Configuration
  10. In the Redirect URI's field, enter the following:
    https://localhost.redirect

    NOTE: Passport doesn't require this value, but you cannot save the app configuration without some value in the Redirect URI's field. 

  11. In the left sidebar, click SSO.

  12. Click the Application Type menu and select Native.

  13. Click the Token Endpoint menu and select None (PKCE).

  14. Click Save

  15. Open a secure text document that you can use to store values for this OIDC app. You will need the Client ID and Issuer URL details when you configure the Passport library item (you don't need the client secret).

  16. To the right of the Client ID field, click the Copy to Clipboard button (looks like a clipboard).

  17. Paste the Client ID into the secure text document.

  18. Right-click (or Control-click) the Well-known Configuration link and copy its value. 

    NOTE: The Issuer URL contains the start of the well-known configuration for this OIDC app, which uses the following pattern:
    https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration
  19. Paste the Issuer URL into the secure text document.

  20. Save the secure text document.

  21. In OneLogin, click Save.

  22. In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers.

  23. If you are using Kandji Passport Web Login, continue with the next section. Otherwise, if you're not using Kandji Passport Web Login, go to the Kandji web app to configure the Passport library item.


Configure an OIDC App for Kandji Passport Web Login

Configure the POST OIDC app that Passport uses to allow users to enter an additional factor of authentication when they log in to their Mac.

  1. In your OneLogin admin console, navigate to the Applications page.
  2. In the upper-right corner, click Add App.

    NOTE: If the Add App button does not appear, it’s possible that you previously clicked See the new apps list. To make OneLogin display the Add App button, remove the string /admin2 from the URL. For example, instead of https://accuhive.onelogin.com/admin2/apps, use https://accuhive.onelogin.com/apps.

  3. In the search field in the upper-left corner, enter OIDC.

  4. Select OpenID Connect (OIDC).

  5. In the Display Name field, enter a descriptive name such as Kandji Passport Web Login.

  6. Click the Visible in portal switch to the Off position; this app does not need to be visible in order for Passport to work, and it might be confusing for a user to see this app in their OneLogin portal. 

  7. Click Save.

  8. In the left sidebar, click Configuration.

  9. In the Redirect URI's field, enter the following:
    https://localhost.redirect
  10. In the left sidebar, click SSO.

  11. Click the Application Type menu and select Native.

  12. In the Token Endpoint section, click the Authentication Method menu and select POST

  13. Click Save.

  14. Open a secure text document that you can use to store three values for this OIDC app. You will need the Client ID and Client Secret for this POST app when you configure the Passport library item. If you already have a secure document open from configuring the previous OIDC app, add a note that the new values are for the OIDC app for the Web Login authentication mode.

  15. Copy the contents of the Client ID field.

  16. Paste the Client ID into the secure text document.

  17. Click Show client secret.

  18. Copy the client secret.

  19. Paste the client secret into the secure text document.

  20. Save the secure document.

  21. In OneLogin, click Save.

  22. In OneLogin, assign the app to the users or groups who will be using Passport to log in to their Mac computers with the Passport library item with the authentication mode set to Web Login.


With the OneLogin configuration complete, go to the Kandji web app to configure the Passport library item.