Integrating with Okta

Overview

Okta works directly against your Okta endpoint, using the Authentication API. No changes are required to enable functionality within the Okta admin dashboard.

Okta does not directly authenticate the user to the computer, but it completes the following background process:

  1. The mechanism gathers a username and password from the user, and then verifies the user locally.

  2. The mechanism does one of the following:

    • If the username matches a local user, the mechanism puts the username and password into the Security Server data, and then passes on the authentication to the next mechanism.

    • If the username does not exist locally, or a configuration has been set to always authenticate with Okta, then the Okta Authentication API is used to validate the user and password.

Integrating with Okta

Jamf Connect provides support for Okta. Integrating Okta with Jamf Connect involves the following steps:

  1. Enable the CheckOkta mechanism.

  2. (Optional) Integrate Jamf Connect with OpenID Connect (OIDC).

  3. Configure and deploy Jamf Connect.

Step 1: Enabling the CheckOkta Mechanism

Although no changes are required to enable functionality within the Okta admin dashboard, you must change the CheckOIDC mechanism installed by Jamf Connect Login to CheckOkta. Complete one of the following to change the loginwindow mechanism:

  • Change the Jamf Connect Login package name to include "okta". This will automatically run the authchanger to enable CheckOkta.

  • Manually execute the following command with the authchanger:

    /usr/local/bin/authchanger -reset -Okta 

For more information about executing commands with the authchanger, see authchanger.

(Optional) Step 2: Integrating Jamf Connect with OIDC

If you want to leverage configurable preferences available via OIDC, such as determining if an admin or standard local account is created, you must create an integrated app for Jamf Connect in your Okta admin console.

Note: You should only use OIDC with Okta to configure local account creation. Configuring OIDC authentication with Okta is not recommended.

Creating an Application Integration

  1. Log in to the Okta Admin Console.

  2. Click Applications.

  3. Click Add Application, and then click Create New App.

  4. Do the following in the Create a New Application Integration window:

    1. Select "Native App" from the Platform pop-up menu.

    2. Select OpenID Connect.

    3. Click Create.

  5. Do the following on the Create OpenID Connect Integration page:

    1. Enter a name for your app, such as "Jamf Connect", in the Application name field.

    2. (Optional) Upload an application logo.

    3. Enter "https://127.0.0.1/jamfconnect" in the Login redirect URIs field.

    4. Click Save.

Modifying Grant Types

  1. Select your newly created Jamf Connect app.

  2. Do the following in the General pane:

    1. Select Implicit (Hybrid) under Allowed Grant Type

    2. Select Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.

    3. Click Save.

If you want to determine if users are created as standard or admin users during local account creation with Jamf Connect Login, repeat this process to yield two app integrations for Jamf Connect: one for standard users and the other for admin users.

Assigning Users and Groups

You must assign users and groups to your Jamf Connect app.

For instructions, see the following documentation from Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps_Page.htm

Note: If you created two app integrations for Jamf Connect, assign all standard users to one app, and all admin users to both apps. These apps will be specified with OIDCAccessClientID and OIDCAdminClientID preference keys in your Jamf Connect Login configuration profile.

Enabling Multi-Factor Authentication

If you want to enable multi-factor authentication (MFA) for users, you must enable MFA at the organization level rather than the app level. To enable MFA, navigate to Security > Authentication > Sign On in the Okta Admin Dashboard, and then create a new Sign On policy.

Note: Enabling MFA at the app level is not recommended and may cause errors in Jamf Connect.

For more information about Okta MFA, see the following Okta documentation:

Step 3: Configuring and Deploying Jamf Connect

Jamf Connect is deployed with a package installer, similar to other apps installed on macOS.

For more information on configuring and deploying Jamf Connect, see the following sections of this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.