Learn Advanced Passport Troubleshooting Techniques
When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.
- Kandji Passport Supported IdPs
- Kandji Passport Other IdP Requirements
- Configure Other IdP
- Troubleshooting
- Passport Support Ticket
Kandji Passport Supported IdPs
The current Kandji Passport supported IdPs are Google Workspace, Microsoft Entra, Okta, and OneLogin.
Kandji Passport Other IdP Requirements
Passport configuration requires OIDC and ROPG workflows in order to function. Please check with your IdP to verify if they support these features.
While we do offer the option to choose Mac Login or Web Login, the recommendation would be to first set Passport up using Mac Login as there can be additional factors when configuring Web Login. As a resource, you can reference the supported configurations using Google Workspace, Microsoft Entra, Okta, or OneLogin.
- Passport Configuration with Google Workspace
- Passport Configuration with Microsoft Entra (formerly Azure AD)
- Passport Configuration with Okta
- Passport Configuration with OneLogin
If you’re not using one of the identity providers above, it may still be possible to configure Passport by using the “Other “option.
Configure Other IdP
Authentication Configuration
- When configuring an IdP other than Google Workspace, Microsoft Entra, Okta, or OneLogin, select the Other option from the Identity provider drop-down.
Authentication Mode
- If you do not use multi-factor authentication (MFA), you need to choose Mac Login.
- If you do use multi-factor authentication (MFA), you need to choose Web Login.
Mac Login
- Enter the Identity provider URL.
- Enter the Client ID of the Passport App that you created in your IdP (may also be called App ID)
Web Login
- Enter the Identity Provider URL
- Enter the Client ID of the Passport App that you created in your IdP (may also be called App ID)
- When using Web Login, your app will need to support both PKCE auth as well as Post auth. Some IdPs may require configuring two different apps.
- The Redirect URI should be your IdP's default Redirect URI in most cases.
Troubleshooting
There are many factors to consider when troubleshooting Passport issues when selecting the Other option for the Passport IdP. This section assists with obtaining errors and finding the context to understand the errors in order to apply configuration changes.
Kandji Passport Diagnostics
If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your IdP.
If you continue to experience issues with Passport, please reach out to Support about deploying a Debug Profile to gather additional information.
Network Connectivity
Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS. As a troubleshooting step to rule out network issues, you can connect a test device to a mobile hotspot at the Passport Login Window.
Common Errors
Error: POST token 401
"error":"Unauthorized","error_description":"Authentication Failed: Invalid user credentials"
This error indicates a mismatched password, and the password should be verified to work on the identity provider side. A 200 response on the GET request for openid-configuration would suggest that the Identity provider URL and Application ID (aka Client ID) in the Passport Library Item are configured correctly for communication to the IdP.
Error: POST token 403
”error”:”access_denied”,”error_description”:”End-user does not have access to this application”
This error indicates the account may not have access to the Passport OIDC app on the identity provider side, and we should verify said access there. A 200 response on the GET request for openid-configuration would suggest that the Identity provider URL and Application ID (aka Client ID) in the Passport Library Item are configured correctly for communication to the IdP.
Ticket Decode failed
Ticket decode failed
Failed to login with possible error: Unknown
This is typically an issue with the optional client secret. For troubleshooting purposes, completely remove the optional client secret from the Passport library item, and make sure the device checks in. After it has checked in, log out of the local user and log back in with Passport. This error could also be related to a network condition. To rule that out, try connecting to a mobile hotspot as part of troubleshooting to see if the error is still present.
Error Code Lookup
Many IdPs will generate their own specific error codes. Check with your IdP to see if they have a lookup page for reading more about the specific error you are receiving from them. An example of this is the error code form from Microsoft for looking up Entra errors.
Helpful Passport Support Articles
These supplemental Passport support articles have useful information for additional troubleshooting.
Passport Support Ticket
Before deploying Passport, we highly recommend that you open a ticket with Support so that we can work with you to ensure it is configured properly before deployment.
If a user's name changes, it is possible to update the user's sign-in address under some circumstances. Please open a ticket with Support if you need assistance with changing a user's name in Passport.