Attention: To provide the best possible AR experience for our customers and support our ecosystem moving forward, we are unlocking all enterprise features to all Magic Leap 2 devices in the OS 1.12.0 release.

---

 

With Magic Leap OS 1.3.1, users with a Developer Pro or Enterprise license can integrate their own enterprise user authentication with Magic Leap 2. The Multiple users feature will need to be enabled as well.

Pre-Requisites

Setting up enterprise user authentication provider on device requires that you already have Wi-Fi setup and are connected.  You will need to generate a QR code to login using an identity provider on Magic Leap 2. An IT admin should generate the QR code for login.

Supported Identity Providers

Magic Leap 2 supports OAuth2/OIDC-based solutions; examples include Azure Active Directory and Okta. IT Admins will need to create an app or client within the solution for the Magic Leap 2.

Generating a QR Code

Your identity provider should offer endpoints, similar to the below example in Azure Active Directory. Copy the JSON and generate a QR code from it. Save the QR code, it will be used to setup enterprise authentication on the device.

{"client_id": "##-example_ID",
"redirect_uri": "com.magicleap.oauth://oauth2_callback",
"end_session_redirect_uri": "https://login.microsoftonline.com/organizations/oauth2/v2.0/logout",
"authorization_scope": "openid email profile offline_access",
"authorization_endpoint_uri": "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize",
"token_endpoint_uri": "https://login.microsoftonline.com/organizations/oauth2/v2.0/token",
"registration_endpoint_uri": "",
"user_info_endpoint_uri": "https://graph.microsoft.com/oidc/userinfo",
"end_session_endpoint": "https://login.microsoftonline.com/organizations/oauth2/v2.0/logout",
"https_required": true
}

Note: "redirect_uri" must be set to:

"com.magicleap.oauth://oauth2_callback"

The below GIF highlights the QR code generation process using https://www.the-qrcode-generator.com/. 

Setup the Identity Provider on Device

With the QR code ready, the Magic Leap 2's Admin user will need to set the device up and make sure Wi-Fi has been configured. Once initial set-up is completed, Multiple Users mode will need to be enabled. In the Multiple Users settings screen, select "Enable Identity Validation (OIDC/OAuth2)".

You'll be prompted to scan a QR Code. Scan the QR Code generated in the Generating a QR Code section.

If the JSON used to generate the QR code is valid, a success message will be displayed. If the QR is invalid, an error message will pop-up notifying the IT Admin of an invalid configuration.

Adding a New User

The end-user will walk through the setup process. Users will first be prompted to login to their account with the identity-provider on their Magic Leap 2. Upon a successful login, the user will be directed to the App Launcher.

Revoking Access

Signing Users Out

The Admin for the identity provider can revoke access to users by utilizing their provider's session end functionality.

For example: in Azure Active Directory, an admin can log all users out by clicking “Sign Out of All Sessions” in the "Users" section of the Admin Portal, while an individual user can have a session ended by selecting "Revoke Sessions" on the individual user's account. This does not remove the user from the Magic Leap 2. A user can still sign-in again on their next login of the device.