Pluggable Authentication Module (PAM)

The Pluggable Authentication Module (PAM) is an authentication tool that allows you to use the sudo command with Jamf Connect Login. PAM is included in all installations of Jamf Connect Login and stored on computers in the following location:

/usr/local/lib/pam/pam_saml.so.2

Enabling PAM

To enable PAM, complete the following steps:

  1. (Okta Only) Execute the following authchanger command to enable PAM authentication with Jamf Connect Login:

    /usr/local/bin/authchanger -DefaultJCRight
  2. Add the following preference keys to your Jamf Connect Login configuration profile:

    Pluggable Authentication Module (PAM)

    Key

    Description

    Example

    AuthUIOIDCProvider

    Specifies your Identity Provider (IdP) for use with PAM.

    <key>AuthUIOIDCProvider<key>

    <string>insert-identity-provider</string>

    AuthUIOIDCClientID

    The Client ID of the created app in your IdP used to authenticate the users.

    <key>AuthUIOIDCClientID</key>

    <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

    AuthUIOIDCRedirectURI

    The Redirect URI used by the created app in your IdP

    <key>AuthUIOIDCRedirectURI</key>

    <string>https://127.0.0.1/jamfconnect</string>

    AuthUIOIDCTenant

    Specifies which tenant in your IdP to use with PAM.

    Note: If Okta is your IdP, this key is required.

    <key>AuthUIOIDCTenant</key>

    <string>dev-123456</string>

  3. In Terminal, access the PAM configuration profile by executing the following command:

    sudo vi /etc/pam.d/sudo

  4. Enter your local password.

  5. Enter edit mode, and then add the following entry:

    auth sufficient pam_saml.so

    Note: A warning may display when attempting to edit a read-only file. Continue to edit the file, and then refer to step 6 to save your changes.

    images/download/attachments/79167856/PAM_Enable.png

  6. Press the Escape key to exit the editor mode, and then write and quit the read-only file by executing the following command at the bottom of the Terminal window:

    :wq!

    Note: Your cursor should automatically move to the bottom of the Terminal window after you exit editor mode.

Authenticating with PAM

After PAM is enabled, you can use the sudo command to authenticate with your cloud identity provider (IdP).

  1. In Terminal, execute any sudo command, such as the following:

    sudo ls

  2. Your IdP's login window should appear. Enter your username and password to authenticate.

    Note: If you close the login window, you will be prompted to enter your password in Terminal instead.

  3. Once authenticated, the sudo command should complete in Terminal.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.