Welcome to our page on using Okta with NoMAD Login. While this is not part of the open source project, it uses the same base mechanisms to create the loginwindow plugins and otherwise interact with the system. NoMAD Login+ Okta (NoLo-Okta). This software is currently in beta, but is expected to be released commercially at the end of February.
NoMAD Login+ Okta 1.1.0
This project will track the NoMAD Login AD versions and have similar features.
NoLo-Okta will behave in a similar fashion to NoMAD Login AD, and has all of the NoMAD Login AD mechansims in it. While you are more then welcome to chain the mechansims together to have users sign in both to AD and Okta before logging into the Mac, this may have unexpected consequences.
First and foremost NoLo-Okta will allow Okta authentication at the login window. When included as a mechanism in your authentication list for the system.login.console right, NoLo-Okta will first look to see if a user is a local account, if so the default behavior is to authenticate the user locally. Otherwise NoLo-Okta will use Okta's Authentication API to authenticate the user. On success the user will be allowed to continue logging in.
NoLo-Okta supports most MFA factors including Okta Verify, Okta Verify with Push, Duo, Google Authenticator, SMS Authentication and Security Question.
In addition, NoLo-Okta supports password resets at the loginwindow.
NoLo-Okta can be configured to always require positive authentication to Okta and not fall back to local authentication. In addition you can supply a list of local users to be excluded from this policy.
NoLo-Okta only needs to know your Okta domain, eg. nomad.okta.com, to function. No changes are required to your Okta domain for it to work.
The domain is pulled from the menu.nomad.NoMADPro preference domain with the key of "AuthServer". This key needs to be pushed via MDM or from a local .mobileconfig file. A sample .mobileconfig file is included here.
NoLo-Okta will also take two other configurations:
Determines if a user that already exists is denied local authentication
Array of shortnames that can authenticate locally when the DenyLocal flag is set to true
These preferences will be pulled from both the nomad.menu.login.okta and nomad.menu.NoMADPro preference domains. All NoMAD Login preferences can be set in either domain.
The installer package has two main components:
The plugin itself which will be installed into /Library/Security/SecurityAgentPlugins/NoMADLoginAD.bundle
authchanger a small binary to update your authorization database is installed in /usr/local/bin
When finshed the loginwindow:login mechanism will be removed form the list of mechansims for the system.login.console right and replaced with NoMADLoginOkta:CheckOkta which will initiate the Okta authentication process and NoMADLoginOkta:CreateUser,privileged which will create local accounts for authenticated users that do not already have one.
NoLo-Okta has a 60 second timer when attempting authentication operations. If the operation has not suceeded in that time it will deny the login and start over. This is to hopefully keep you from getting stuck.
Ability to do a OAuth operation to validate the user against "apps" in your Okta domain. This will allow you to provision users from your Okta dashboard to be able to sign in to systems running NoLo-Okta
Ability to determine if Okta users are admins or not on the machine based upon Okta provisioning.
Ability to only allow one user to have an account created locally. After that any subsequent Okta authentications would have to be from a specific group of users.
Here you can find the NoMAD Login+ Okta Public Beta 1 and a sample .mobileconfig file.