Swif’s Platform SSO Policy can replace the standard macOS login window with an Okta Single Sign-On experience. Users authenticate with their Okta credentials, and Swif provisions (or verifies) the matching local account before macOS finishes booting.
1 Prerequisites
Requirement | Details |
macOS 11 Big Sur or later | Swif Agent v1.235.0 or newer installed. |
Okta tenant | Admin rights to create an OIDC / OpenID Connect application (public or confidential). |
Swif Org Admin | Ability to create policies and assign them to Mac devices. |
2 Create an OIDC App in Okta
Sign in to your Okta Admin Console.
Navigate to Applications → Applications → Create App Integration.
Choose OIDC – OpenID Connect and Native Application (or Web, if you prefer confidential flow). Click Next.
App name:
Swif macOS Login.Sign-in redirect URIs: add
http://127.0.0.1/xcreds(loopback).
Sign-out redirect URI: (optional)
http://127.0.0.1/logout.Skip group assignment:
Assign the app to Everyone or the groups who should log in.
After saving, copy the Client ID, Client secret (if Web/Confidential), and the Issuer URL from the Okta “.well-known” link
(e.g.https://yourtenant.okta.com/.well-known/openid-configuration).
3 Create a Platform SSO Policy in Swif
In the Swif console, go to Policies → Create New Policy → Platform SSO Policy.
Fill the fields:
Field | Example | Description |
Client ID |
| Your Okta OIDC Client ID. |
Client Secret |
| Secret for confidential flow. |
Discovery URL | Okta OIDC metadata. | |
Redirect URI | Loopback URI the Swif login agent listens on. | |
Create Admin User |
| Create the local macOS user as admin if it doesn’t exist. |
Tip: If you prefer the user account to be standard, set Create Admin User = false.
Save the policy.
4 Assign the Policy to Mac Devices
Select the target Macs or a Smart Group (e.g. All macOS Users).
Click Deploy.
Swif pushes a configuration profile that replaces the native login window with an Okta-backed sign-in.
5 User Login Flow
At startup, the Mac displays Sign in with Okta.
A browser opens to your Okta sign-in page; user enters credentials and completes MFA.
Swif’s login agent:
Parses the returned ID token.
Creates or unlocks the matching local account.
Proceeds to the desktop—no local password is stored.
6 Troubleshooting
Issue | Resolution |
Login window blank | Verify the profile is installed (System Settings → Privacy & Security → Profiles). |
Redirect URI mismatch | Ensure |
Offline login fails | Okta requires online authentication; no offline tokens are cached by default. |
User account not found | Confirm the Okta username matches the macOS short name format (you may need a custom mapping—contact Swif Support). |
Error setting local password to cloud password  | There is a conflict with your password policy. You can change the cloud password or remove the password policy from the device. |
7 Security Considerations
Using Okta SSO disables local password authentication; keep Okta MFA enabled for maximum protection.
Test on a pilot group before enforcing fleet-wide. If the Okta tenant is unavailable, users cannot sign in.
By deploying a Platform SSO Policy with Okta, you ensure every macOS sign-in is validated through your corporate IdP, unifying access control and strengthening endpoint security. For assistance, contact support@swif.ai.