With Magic Leap OS 1.3.1, users with a Developer Pro or Enterprise license can integrate their own enterprise user authentication with Magic Leap 2. The Multiple users feature will need to be enabled as well.
Setting up enterprise user authentication provider on device requires that you already have Wi-Fi setup and are connected. You will need to generate a QR code to login using an identity provider on Magic Leap 2. An IT admin should generate the QR code for login.
Supported Identity Providers
Generating a QR Code
Your identity provider should offer endpoints, similar to the below example in Azure Active Directory. Copy the JSON and generate a QR code from it. Save the QR code, it will be used to setup enterprise authentication on the device.
"authorization_scope": "openid email profile offline_access",
Note: "redirect_uri" must be set to:
The below GIF highlights the QR code generation process using https://www.the-qrcode-generator.com/.
Setup the Identity Provider on Device
With the QR code ready, the Magic Leap 2's Admin user will need to set the device up and make sure Wi-Fi has been configured. Once initial set-up is completed, Multiple Users mode will need to be enabled. In the Multiple Users settings screen, select "Enable Identity Validation (OIDC/OAuth2)".
If the JSON used to generate the QR code is valid, a success message will be displayed. If the QR is invalid, an error message will pop-up notifying the IT Admin of an invalid configuration.
Adding a New User
The end-user will walk through the setup process. Users will first be prompted to login to their account with the identity-provider on their Magic Leap 2. Upon a successful login, the user will be directed to the App Launcher.
Signing Users Out
The Admin for the identity provider can revoke access to users by utilizing their provider's session end functionality.
For example: in Azure Active Directory, an admin can log all users out by clicking “Sign Out of All Sessions” in the "Users" section of the Admin Portal, while an individual user can have a session ended by selecting "Revoke Sessions" on the individual user's account. This does not remove the user from the Magic Leap 2. A user can still sign-in again on their next login of the device.