Troubleshoot Device-Bound SSO issues

Early Access release

Use this guide to resolve common issues when deploying or using the Device-Bound Single Sign-On feature.

Signed-in user gets prompted for MFA

The user is signed in on their device but still receives an MFA prompt when opening an Okta-protected app in their browser.

Possible causes and resolutions:

1. The user hasn't provided an authenticator that satisfies the requirements of the app sign-in policy.

   To resolve this issue, modify the app sign-in policy so that it requires a factor provided by the user's Desktop MFA flow.

2. The user signed into the device while the system was offline. As Device-Bound SSO is an online-only feature, the device session requires a connection to Okta.

   To start the device session, ensure that the user is online and performs an online authentication, for example through Okta FastPass in the browser.

3. The user isn't enrolled in Okta FastPass on that specific device.

   To resolve this issue, have the user open the Okta Verify app and confirm their Okta FastPass enrollment status.

Open Okta Verify prompt appears repeatedly on macOS

The Early Access release of Device-Bound SSO requires use of the loopback mechanism to access the Platform SSO keys stored in the Secure Enclave.

As the macOS credential single sign-on extension isn't used, Okta Verify must be running for Device-Bound SSO to function properly.

To resolve this issue, try the following options:

• Ensure that the Okta Verify app is running.

• Add Okta Verify as a Managed Login Item in your MDM.

Device isn't recognized as Okta-joined

Although the authentication policy contains the statement device.provider.deviceAccess.joined == true, the device doesn't appear in the Universal Directory.

To resolve this issue, try the following options:

1. Validate the client configurations for your operating system.

   • Windows: Deploy Device-Bound SSO to user devices

   • macOS: Deploy Device-Bound SSO to user devices

2. Ensure that the Device Access certificate was successfully issued to the device.

Limitations

• Okta doesn't create or maintain a device session if the device is offline.

• Unlike Windows, signing in to the macOS desktop doesn't automatically create a device session. To establish the session, users must sign into an Okta-protected app using an online authentication method.

• Device-Bound Single Sign-On isn't supported for standard users on macOS 14 Sonoma.