SWIF.ai

Swif’s Identity Login Policy can replace the standard macOS login window with an Okta Single Sign-On experience. Users authenticate with their Okta credentials, and Swif provisions (or verifies) the matching local account before macOS finishes booting.

___________________________________________________________

Sign in to your Okta Admin Console.

Navigate to Applications → Applications → Create App Integration.

Choose OIDC – OpenID Connect and Native Application (or Web, if you prefer confidential flow). Click Next.

App name: <code>Swif macOS Login</code>.

Sign-in redirect URIs: add <code>http://127.0.0.1/xcreds</code> (loopback).

Sign-out redirect URI: (optional) <code>http://127.0.0.1/logout</code>.

Assign the app to Everyone or the groups who should log in.

After saving, copy the Client ID, Client secret (if Web/Confidential), and the Issuer URL from the Okta “.well-known” link (e.g. <code>https://yourtenant.okta.com/.well-known/openid-configuration</code>).

1. Sign in to your Okta Admin Console.
2. Navigate to Applications → Applications → Create App Integration.
3. Choose OIDC – OpenID Connect and Native Application (or Web, if you prefer confidential flow). Click Next.
4. App name: <code>Swif macOS Login</code>.
5. Sign-in redirect URIs: add <code>http://127.0.0.1/xcreds</code> (loopback).
6. Sign-out redirect URI: (optional) <code>http://127.0.0.1/logout</code>.
7. Assign the app to Everyone or the groups who should log in.
8. After saving, copy the Client ID, Client secret (if Web/Confidential), and the Issuer URL from the Okta “.well-known” link (e.g. <code>https://yourtenant.okta.com/.well-known/openid-configuration</code>).

3 Create an Identity Login Policy in Swif

In the Swif console, go to Policies → Create New Policy → Identity Login Policy.

1. In the Swif console, go to Policies → Create New Policy → Identity Login Policy.
2. Fill the fields:

Tip: If you prefer the user account to be standard, set <code>createAdminUser = false</code>.

Select the target Macs or a Smart Group (e.g. All macOS Users).

Swif pushes a configuration profile that replaces the native login window with an Okta-backed sign-in.

1. Select the target Macs or a Smart Group (e.g. All macOS Users).
2. Click Deploy.
3. Swif pushes a configuration profile that replaces the native login window with an Okta-backed sign-in.

At startup, the Mac displays Sign in with Okta.

A browser opens to your Okta sign-in page; user enters credentials and completes MFA.

1. Parses the returned ID token.
2. Creates or unlocks the matching local account.
3. Proceeds to the desktop—no local password is stored.

1. At startup, the Mac displays Sign in with Okta.

2. A browser opens to your Okta sign-in page; user enters credentials and completes MFA.
3. Swif’s login agent:
 1. Parses the returned ID token.
 2. Creates or unlocks the matching local account.
 3. Proceeds to the desktop—no local password is stored.

Using Okta SSO disables local password authentication; keep Okta MFA enabled for maximum protection.

Test on a pilot group before enforcing fleet-wide. If the Okta tenant is unavailable, users cannot sign in.

- Using Okta SSO disables local password authentication; keep Okta MFA enabled for maximum protection.
- Test on a pilot group before enforcing fleet-wide. If the Okta tenant is unavailable, users cannot sign in.

By deploying an Identity Login Policy with Okta, you ensure every macOS sign-in is validated through your corporate IdP, unifying access control and strengthening endpoint security. For assistance, contact <a href="mailto:support@swif.ai" rel="nofollow noopener noreferrer" target="_blank">support@swif.ai</a>.

Enforcing Okta SSO at macOS Login with Swif

Find answers and get help from Intercom Support and Community Experts

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Requirement	Details
macOS 11 Big Sur or later	Swif Agent v1.235.0 or newer installed.
Okta tenant	Admin rights to create an OIDC / OpenID Connect application (public or confidential).
Swif Org Admin	Ability to create policies and assign them to Mac devices.

Field	Example	Description
clientId	`0oaon2q2otcGA3LOG5d7`	Your Okta OIDC Client ID.
clientSecret	`vPrHl-…` (if applicable)	Secret for confidential flow.
discoveryURL	`https://dev-123456.okta.com/.well-known/openid-configuration`	Okta OIDC metadata.
redirectURI	`http://127.0.0.1/xcreds`	Loopback URI the Swif login agent listens on.
createAdminUser	`true`	Create the local macOS user as admin if it doesn’t exist.

Issue	Resolution
Login window blank	Verify the profile is installed (System Settings → Privacy & Security → Profiles).
Redirect URI mismatch	Ensure `http://127.0.0.1/xcreds` is listed in Okta and in the Swif policy.
Offline login fails	Okta requires online authentication; no offline tokens are cached by default.
User account not found	Confirm the Okta username matches the macOS short name format (you may need a custom mapping—contact Swif Support).

Enforcing Okta SSO at macOS Login with Swif

1 Prerequisites

2 Create an OIDC App in Okta

3 Create an Identity Login Policy in Swif

4 Assign the Policy to Mac Devices

5 User Login Flow

6 Troubleshooting

7 Security Considerations