Enterprise users can log into the Magic Leap device and the Device Manager using their enterprise credentials. The Device Manager uses a third-party identity management solution, Okta, to manage the authentication. Any identity source that is compatible (Active Directory or LDAP) with Okta can be used as a single sign-on solution for Magic Leap devices. The diagram below shows how Magic Leap manages the connection between Okta and the Device Manager and the Magic Leap device. The connection from Okta to the enterprise user database is managed by the enterprise customer. For more information on this connection, visit the links at the bottom of this article.
The identified administrator within your organization will be set up within Okta by the Magic Leap team and will receive an activation email from Okta detailing how to access the site.
Administrators will need to download the Okta Verify applications via their respective mobile app stores to properly authenticate into the Admin section of Okta.
Upon the first visit to your Okta instance, the Administrator will need to change their password on initial login to their Okta instance.
Password requirements: at least 8 characters, a lowercase letter,
an uppercase letter, a number, no parts of your username.
Your password cannot be any of your last 4 passwords.
To add additional users to Okta, open a web browser and navigate to the provided Okta instance located in your activation email (e.g. https://ml-customer.okta.com)
Setup OKTA Verify
When you log in for the first time you will be presented with the Setup multi-factor authentication screen.
Select iOS, Android, or Windows to configure Okta Verify for your platform of choice.
Open Okta Verify and click Add Account and scan the QR code
Once you have successfully added the account to your mobile device, click on the Admin button in the upper right-hand corner and enter the OKTA verify key to authenticate into the Admin console.
Click on Directory on the toolbar and then People
Next, click Add Person
User Accounts
Adding Non-Administrators
For non-administrators, type in the user's information and click Save.
Adding Device Manager Administrators
Type in the user's information and add the user to the appropriate security group by typing the name of the group. For Device Manager Admins, add group: ml‐primary‐enterprise‐users
Access to the Device Manager
In order to login to the Device Manager, an individual(s) identified within your organization will need to be granted permission within OKTA by Magic Leap. Once Magic Leap provisions the initial administrator, that administrator must add the desired users to a predefined security group within OKTA called ml-primary-enterprise-users. This group is ONLY for users that need to configure and manage devices within your organization.
This group may also be synced from a compatible Active Directory or LDAP directory using the Okta group sync feature. The screenshot below shows how using OKTA directly to add the user to a specific group.
There are no additional permissions inside the Device Manager. All features of the Device Manager are available to any user with the permission to log into the site.
For the best practices in configuring OKTA for your environment, please review these articles from OKTA.