Learn common troubleshooting techniques to use when experiencing issues with Passport & OneLogin
When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the identity provider and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.
Kandji Passport Diagnostics
If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your identity provider (IdP).
Network Connectivity
Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS.
Common OneLogin errors
Couldn't Communicate
Error: Couldn’t communicate with helper application (OneLogin)
Resolution: Make sure the URL is correct in Kandji.
NOTE: The Issuer URL for OneLogin is https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration
MFA is Required
Error: Unauthorized, MFA is required for this user (OneLogin)
Issue: It’s likely the customer is getting affected by the user policy rather than an app policy.
Resolution: Use an App Policy for MFA so the end user is prompted for it when accessing apps assigned in OneLogin, and not enforce MFA on the User Policy. However, this may affect MFA in other areas, such as accessing the OneLogin Portal. OneLogin does not have a way to separate a User Policy MFA requirement for OIDC ROPG flow.
Here is a link to OneLogin Support's App Policies article.