Skip to main content

Enforcing Okta SSO at macOS Login with Swif

Updated over a week ago

Swif’s Identity Login Policy can replace the standard macOS login window with an Okta Single Sign-On experience. Users authenticate with their Okta credentials, and Swif provisions (or verifies) the matching local account before macOS finishes booting.


1 Prerequisites

Requirement

Details

macOS 11 Big Sur or later

Swif Agent v1.235.0 or newer installed.

Okta tenant

Admin rights to create an OIDC / OpenID Connect application (public or confidential).

Swif Org Admin

Ability to create policies and assign them to Mac devices.


2 Create an OIDC App in Okta

  1. Sign in to your Okta Admin Console.

  2. Navigate to Applications → Applications → Create App Integration.

  3. Choose OIDC – OpenID Connect and Native Application (or Web, if you prefer confidential flow). Click Next.

  4. App name: Swif macOS Login.

  5. Sign-in redirect URIs: add http://127.0.0.1/xcreds (loopback).

  6. Sign-out redirect URI: (optional) http://127.0.0.1/logout.

  7. Assign the app to Everyone or the groups who should log in.

  8. After saving, copy the Client ID, Client secret (if Web/Confidential), and the Issuer URL from the Okta “.well-known” link
    (e.g. https://yourtenant.okta.com/.well-known/openid-configuration).


3 Create an Identity Login Policy in Swif

  1. In the Swif console, go to Policies → Create New Policy → Identity Login Policy.

  2. Fill the fields:

Field

Example

Description

clientId

0oaon2q2otcGA3LOG5d7

Your Okta OIDC Client ID.

clientSecret

vPrHl-… (if applicable)

Secret for confidential flow.

discoveryURL

https://dev-123456.okta.com/.well-known/openid-configuration

Okta OIDC metadata.

redirectURI

http://127.0.0.1/xcreds

Loopback URI the Swif login agent listens on.

createAdminUser

true

Create the local macOS user as admin if it doesn’t exist.

Tip: If you prefer the user account to be standard, set createAdminUser = false.

  1. Save the policy.


4 Assign the Policy to Mac Devices

  1. Select the target Macs or a Smart Group (e.g. All macOS Users).

  2. Click Deploy.

  3. Swif pushes a configuration profile that replaces the native login window with an Okta-backed sign-in.


5 User Login Flow

  1. At startup, the Mac displays Sign in with Okta.

  2. A browser opens to your Okta sign-in page; user enters credentials and completes MFA.

  3. Swif’s login agent:

    1. Parses the returned ID token.

    2. Creates or unlocks the matching local account.

    3. Proceeds to the desktop—no local password is stored.


6 Troubleshooting

Issue

Resolution

Login window blank

Verify the profile is installed (System Settings → Privacy & Security → Profiles).

Redirect URI mismatch

Ensure http://127.0.0.1/xcreds is listed in Okta and in the Swif policy.

Offline login fails

Okta requires online authentication; no offline tokens are cached by default.

User account not found

Confirm the Okta username matches the macOS short name format (you may need a custom mapping—contact Swif Support).


7 Security Considerations

  • Using Okta SSO disables local password authentication; keep Okta MFA enabled for maximum protection.

  • Test on a pilot group before enforcing fleet-wide. If the Okta tenant is unavailable, users cannot sign in.


By deploying an Identity Login Policy with Okta, you ensure every macOS sign-in is validated through your corporate IdP, unifying access control and strengthening endpoint security. For assistance, contact support@swif.ai.

Did this answer your question?