Passport Troubleshooting with Okta

By Gwynn Clark

Learn common troubleshooting techniques to use when experiencing issues with Passport & Okta

Login Best Practices

When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility checkbox is deselected on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

Kandji Passport Diagnostics

If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your IdP.

Network Connectivity

Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS.

Common Okta Errors

To look up any Okta error codes, you can visit the Okta API Error Codes page.

Error: POST token 401

Description: "error":"Unauthorized","error_description":"Authentication Failed: Invalid user credentials"

This error indicates a mismatched password, and the password should be verified on the identity provider side. The 200 response on the GET request for openid-configuration suggests the Identity provider URL and Application ID (aka Client ID) in the Passport library item are configured correctly for communication to the identity provider.

Error: POST token 403

Description: ”error”:”access_denied”,”error_description”:”End-user does not have access to this application”

This error indicates the account may not have access to the Passport OIDC app on the identity provider side, and we should verify said access there. The 200 response on the GET request for openid-configuration suggests the Identity provider URL and Application ID (aka Client ID) in the Passport library item are configured correctly for communication to the identity provider.