Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Advanced Passport Troubleshooting

            By Nick Bickhart

            Learn Advanced Passport Troubleshooting Techniques

            When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

            Kandji Passport Supported IdPs

            The current Kandji Passport supported IdPs are Google Workspace, Microsoft Entra, Okta, and OneLogin.

            Kandji Passport Other IdP Requirements

            Passport configuration requires OIDC and ROPG workflows in order to function. Please check with your IdP to verify if they support these features.

            While we do offer the option to choose Mac Login or Web Login, the recommendation would be to first set Passport up using Mac Login as there can be additional factors when configuring Web Login. As a resource, you can reference the supported configurations using Google Workspace, Microsoft Entra, Okta, or OneLogin.

            If you’re not using one of the identity providers above, it may still be possible to configure Passport by using the “Other “option.

            Configure Other IdP

            Authentication Configuration

            • When configuring an IdP other than Google Workspace, Microsoft Entra, Okta, or OneLogin, select the Other option from the Identity provider drop-down.

            Authentication Mode

            • If you do not use multi-factor authentication (MFA), you need to choose Mac Login. 6aawHMrO8vgjmZqLfkgvf9b-1fx-zWurUQ
            • If you do use multi-factor authentication (MFA), you need to choose Web Login.aqPGsaNej7JA8U2pPKJJiGlMq1KEMtP-cQ

            Mac Login

            1. Enter the Identity provider URL.
            2. Enter the Client ID of the Passport App that you created in your IdP (may also be called App ID)


            Web Login

            1. Enter the Identity Provider URL
            2. Enter the Client ID of the Passport App that you created in your IdP (may also be called App ID)


            3. When using Web Login, your app will need to support both PKCE auth as well as Post auth. Some IdPs may require configuring two different apps.
            4. The Redirect URI should be your IdP's default Redirect URI in most cases.

            Troubleshooting

            There are many factors to consider when troubleshooting Passport issues when selecting the Other option for the Passport IdP. This section assists with obtaining errors and finding the context to understand the errors in order to apply configuration changes.

            Kandji Passport Diagnostics

            If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your IdP.

            If you continue to experience issues with Passport, please reach out to Support about deploying a Debug Profile to gather additional information.

            Network Connectivity

            Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS. As a troubleshooting step to rule out network issues, you can connect a test device to a mobile hotspot at the Passport Login Window.

            Common Errors

            Error: POST token 401 

            "error":"Unauthorized","error_description":"Authentication Failed: Invalid user credentials"

            This error indicates a mismatched password, and the password should be verified to work on the identity provider side. A 200 response on the GET request for openid-configuration would suggest that the Identity provider URL and Application ID (aka Client ID) in the Passport Library Item are configured correctly for communication to the IdP.

            Error: POST token 403 

            ”error”:”access_denied”,”error_description”:”End-user does not have access to this application”

            This error indicates the account may not have access to the Passport OIDC app on the identity provider side, and we should verify said access there. A 200 response on the GET request for openid-configuration would suggest that the Identity provider URL and Application ID (aka Client ID) in the Passport Library Item are configured correctly for communication to the IdP.

            Ticket Decode failed

            Ticket decode failed

            Failed to login with possible error: Unknown

            This is typically an issue with the optional client secret. For troubleshooting purposes, completely remove the optional client secret from the Passport library item, and make sure the device checks in. After it has checked in, log out of the local user and log back in with Passport.

            Error Code Lookup

            Many IdPs will generate their own specific error codes. Check with your IdP to see if they have a lookup page for reading more about the specific error you are receiving from them. An example of this is the error code form from Microsoft for looking up Entra errors.

            Helpful Passport Support Articles

            These supplemental Passport support articles have useful information for additional troubleshooting.

            Passport Support Ticket

            Before deploying Passport, we highly recommend that you open a ticket with Support so that we can work with you to ensure it is configured properly before deployment.

            Preview
            0 of 0