Swif’s Identity Login Policy can replace the standard macOS login window with an Okta Single Sign-On experience. Users authenticate with their Okta credentials, and Swif provisions (or verifies) the matching local account before macOS finishes booting.
1 Prerequisites
Requirement | Details |
macOS 11 Big Sur or later | Swif Agent v1.235.0 or newer installed. |
Okta tenant | Admin rights to create an OIDC / OpenID Connect application (public or confidential). |
Swif Org Admin | Ability to create policies and assign them to Mac devices. |
2 Create an OIDC App in Okta
Sign in to your Okta Admin Console.
Navigate to Applications → Applications → Create App Integration.
Choose OIDC – OpenID Connect and Native Application (or Web, if you prefer confidential flow). Click Next.
App name:
Swif macOS Login
.Sign-in redirect URIs: add
http://127.0.0.1/xcreds
(loopback).Sign-out redirect URI: (optional)
http://127.0.0.1/logout
.Assign the app to Everyone or the groups who should log in.
After saving, copy the Client ID, Client secret (if Web/Confidential), and the Issuer URL from the Okta “.well-known” link
(e.g.https://yourtenant.okta.com/.well-known/openid-configuration
).
3 Create an Identity Login Policy in Swif
In the Swif console, go to Policies → Create New Policy → Identity Login Policy.
Fill the fields:
Field | Example | Description |
clientId |
| Your Okta OIDC Client ID. |
clientSecret |
| Secret for confidential flow. |
discoveryURL |
| Okta OIDC metadata. |
redirectURI |
| Loopback URI the Swif login agent listens on. |
createAdminUser |
| Create the local macOS user as admin if it doesn’t exist. |
Tip: If you prefer the user account to be standard, set createAdminUser = false
.
Save the policy.
4 Assign the Policy to Mac Devices
Select the target Macs or a Smart Group (e.g. All macOS Users).
Click Deploy.
Swif pushes a configuration profile that replaces the native login window with an Okta-backed sign-in.
5 User Login Flow
At startup, the Mac displays Sign in with Okta.
A browser opens to your Okta sign-in page; user enters credentials and completes MFA.
Swif’s login agent:
Parses the returned ID token.
Creates or unlocks the matching local account.
Proceeds to the desktop—no local password is stored.
6 Troubleshooting
Issue | Resolution |
Login window blank | Verify the profile is installed (System Settings → Privacy & Security → Profiles). |
Redirect URI mismatch | Ensure |
Offline login fails | Okta requires online authentication; no offline tokens are cached by default. |
User account not found | Confirm the Okta username matches the macOS short name format (you may need a custom mapping—contact Swif Support). |
7 Security Considerations
Using Okta SSO disables local password authentication; keep Okta MFA enabled for maximum protection.
Test on a pilot group before enforcing fleet-wide. If the Okta tenant is unavailable, users cannot sign in.
By deploying an Identity Login Policy with Okta, you ensure every macOS sign-in is validated through your corporate IdP, unifying access control and strengthening endpoint security. For assistance, contact support@swif.ai.