Configure 1Password Device Trust and Okta

With 1Password Device Trust (Kolide) and Okta , you can make sure every device is known, secure, and compliant before it can access company applications, and empower your team to remediate their own device health issues with step-by-step instructions.

Before you begin

Before you can set up 1Password Device Trust (Kolide) and Okta, you’ll need the following:

• 1Password Device Trust
• An Okta instance with the following products added:
  • Basic or Adaptive Single Sign-on
  • Basic or Adaptive Multi-factor Authentication
  • Universal Directory
  • Lifecycle Management
  • Okta Identity Engine
    • To see if you have Okta Identity Engine, sign in to your Okta admin portal and look for the letter “E” at the end of the version number in the footer. If you don’t see the letter “E”, learn how to upgrade.

These steps were recorded in March 2025 and may have changed since. Refer to the Okta documentation for the most up-to-date steps.

Step 1: Create a Kolide-enabled group in Okta

To test the implementation and make sure it works the way you want it to, first create a Kolide-enabled group with test users. You can use this test group to give specific people access to Kolide as administrators or end users during your testing.

To get started, open two browser windows side-by-side. In one window, sign in to Kolide, and in the other window, sign in to your Okta portal with an account that has super administrator privileges: https://${yourOktaDomain}-admin.okta.com.

1. In the sidebar of your Okta administrative portal, select Directory, then choose Groups.
2. Select Add group in the top right corner.
3. Enter Kolide Enabled as the name, then select Save.
4. Select the Kolide Enabled group, then choose Assign people.
5. Add the people you want to test Kolide, then select Done.

Step 2: Set up SAML SSO for Kolide

Step 2.1: Configure basic settings for SAML SSO

1. In the sidebar of your Okta administrative portal, select Applications, then choose Applications.
2. Select Create App Integration and choose SAML 2.0, then select Next.
3. Enter Kolide SSO as the name, then download this image and upload it as the logo.
4. Leave Do not display application icon to users turned off, then select Next.

Step 2.2: Copy SSO values from Kolide to Okta

1. In the Kolide window, select your avatar in the top right and choose Settings.
2. Select Identity Providers.
3. Select Add Provider, then choose Okta.
4. Select Set Up Single Sign-On Provider.
5. Copy the Kolide ACS URL value into the Single sign-on URL field in Okta.
6. Copy the Kolide Entity ID value into the Audience URI (SP Entity ID) field in Okta.
7. Set the remaining settings to the following:
   • Name ID format: Choose Unspecified.
   • Application username: Choose Okta username.
   • Update application username on: Choose Create and update.
8. Scroll down and select Next, then select Finish.

2.3: Copy SSO values from Okta to Kolide

1. In your Okta administrative portal, select View SAML setup instructions.
2. Copy the Identity Provider Single Sign-On URL value in Okta into the Provider SSO URL field in Kolide.
3. Copy the X.509 Certificate value in Okta into the X.509 Certificate field in Kolide.
4. Select Save Settings, then close the “How to Configure SAML 2.0 for Device Trust Application” tab in your Okta browser window.

Step 3: Set up SCIM provisioning for Kolide

Step 3.1: Configure SCIM settings in Okta

1. In your Okta administrative portal, select the General tab for the Kolide SSO application.
2. Select Edit in the App Settings section, then choose SCIM in the Provisioning section and select Save.
3. Select the Provisioning tab, then select Edit.
4. In the Kolide window, select the Identity Provider tab, then select Set Up User Provisioning.
5. In Okta, configure the available settings to the following:
   • SCIM connector base URL: Enter https://app.kolide.com/scim/v2.
   • Unique identifier field for users: Enter userName.
   • Supported provisioning actions: Turn on Push New Users, Push Profile Updates, and Push Groups.
   • Authentication Mode: Choose HTTP Header.
6. Select Generate Authorization Bearer Token in Kolide, then copy the bearer token value into the Token field in Okta.

   Consider saving the bearer token in 1Password in case you need to access it again in the future.

7. In Okta, select Edit in the Provisioning to App section.
8. Turn on Create Users, Update User Attributes, and Deactivate Users, then select Save.
9. In Kolide, select I’ve Saved The Token, Finish Set Up.

Step 3.2: Provision the Kolide-enabled group

1. In Okta, select the Assignments tab, then select Assign > Assign to Group.
2. Select Assign beside the Kolide Enabled group, then select Save and Go Back > Done.
3. In the Kolide window, select Enable in the SCIM Setup section.

Step 4: Add Kolide as an IdP Authenticator in Okta

Step 4.1: Create the Kolide IdP in Okta

1. In the sidebar of your Okta administrative portal, select Security, then choose Identity Providers.
2. Select Add identity provider, then choose SAML 2.0 IdP and select Next.
3. Configure the available settings to the following:
   • Name: Enter Kolide.
   • IdP Usage: Choose Factor only.
   • Use Persistent Name ID: Deselect this option.
   • IdP Issuer URI, IdP Single Sign-On URL, and Destination: Enter https://auth.kolide.com/saml.
   • IdP Signature Certificate: Download this certificate, then select Browse files in Okta and choose the certificate file.
4. Select Finish.

Step 4.2: Configure the IdP settings in Kolide

1. In the Kolide window, select the Identity Providers tab, then choose Set Up Authenticator.
2. Copy the IdP ID value in Okta into the IdP ID field in Kolide.
3. Copy the Assertion Consumer Service URL value in Okta into the Assertion Consumer Service URL field in Kolide.
4. Copy the Audience URI value in Okta into the Audience URI field in Kolide.
5. In the sidebar of your Okta administrative portal, select Identity Providers.
6. Select Actions for the Kolide identity provider and choose Download Certificate.
7. In Kolide, drag the certificate file into the Certificate field, then select Save Configuration.
8. Select the vertical ellipsis icon in Kolide, then choose Make Primary.

Step 4.3: Add the Kolide IdP authenticator to Okta

1. In the sidebar of your Okta administrative portal, select Authenticators.
2. Select Add authenticator, then select Add in the IdP Authenticator section.

   If you add an IdP Authenticator, you’ll need to remove any previously configured IdP authenticator to continue.

3. Choose Kolide in the Identity Provider dropdown menu, then select Add.
4. Select the Enrollment tab, then select Actions > Edit for the default policy.
5. Set Device Trust (IdP) to Disabled.

Step 4.4: Create an authenticator enrollment policy for Kolide

1. In the sidebar of your Okta administrative portal, select Authenticators.
2. Select Add a policy, then enter Kolide Enrollment Policy in the “Policy name” field.
3. Assign the Kolide Enabled group to the policy.
4. Disable any authenticators that your organization doesn’t use, then select Create policy.
5. Enter Default in the “Rule name” field, then select Create rule.
6. Make sure the Default rule is at the top of the rules list.

Step 4.5: Add Kolide to an authentication policy

1. In the sidebar of your Okta administrative portal, select Authentication Policies.
2. Select the authentication policy you want to add Kolide to.
3. Select Add rule and enter Kolide Protected in the “Rule name” field.
4. Choose At least one of the following groups in the “User’s group membership includes” dropdown menu.
5. Add the Kolide Enabled group as an included group.
6. Scroll down, then choose Allow specific authentication methods in the “Authentication methods” section.
7. Choose Device Trust (IdP) as the authentication method to allow.
8. Scroll down to the “When to prompt for authentication” section, then configure these settings to the following:
   • Prompt for password authentication: Choose When it’s been over a specified length of time, then set the “Time since last sign in” options to values that match your organization’s policies.
   • Prompt for all other factors of authentication: Choose When it’s been over a specified length of time, then set the “Time since last sign in” options to values that match your organization’s policies.
9. Select Save.

   You may need to scroll to the bottom again and select Save anyway to continue.

10. Make sure the Kolide Protected rule is at the top of the authentication policies list.

Step 5: Test authentication using Kolide

To test the sign-in flow in Okta with Kolide, you can access an app that’s protected by the authentication policy you defined in Okta in the previous step. If you already have the Kolide agent installed, Kolide will verify your device’s health. Otherwise, Kolide will instruct you to install the agent to continue.

If you don’t see Kolide when you try to sign in to an app, try accessing an app through Okta using a private or incognito window in your browser.

Step 6 (Optional): Set up an authentication method chain

To allow your team to authenticate with Kolide along with other authentication methods, you can set up an authentication method chain in Okta. For example, you can choose to create:

• A three-factor authentication flow with your choice of authenticators, such as a password, Okta Verify , and Kolide.
• A passwordless authentication flow with Okta FastPass and Kolide.
  • To allow the option for password-based authentication, you could also create a secondary chain within this flow with passwords and Kolide as the selected factors.

Learn more about how to set up an authentication method chain.

Get help

If your team sees multiple authenticator options when accessing an application, but you only want Kolide to be available, review your authentication policy rules for that application to make sure that:

• Kolide is the only authenticator permitted after a password.
• You’ve separated authenticators by and instead of or if you’re using an authentication method chain.

To make sure that Kolide secures applications when accessed outside of your Okta dashboard, create an authentication policy for the applications you want to always protect with Kolide, then require Kolide in a rule within that policy.

If you have team members who should be excluded from Kolide, but they’re still prompted to enroll in Kolide, make sure to scope your authenticator enrollment policy to your Kolide Enabled group so it only applies to team members who use Kolide.

Learn more

• Get started with 1Password Device Trust
• About 1Password Extended Access Management

Glad to hear it! If you have anything you'd like to add, feel free to contact us.

Sorry to hear that. Please contact us if you'd like to provide more details.