Authentication Settings

You must configure and deploy authentication settings via a computer configuration profile. These settings allow Jamf Connect to authenticate at the login window and the menu bar app, as well as establish a connection between local user accounts on the Mac and a cloud identity provider (IdP).

Keep the following in mind when configuring authentication settings with Jamf Connect:

  • Authentication settings for the Jamf Connect menu bar app are contained in the IdPSettings dictionary class.

  • If using both the menu bar and login window in your environment, configuring Jamf Connect to create an initial password using a user's network account is recommended. This ensures users are not prompted to change their password immediately after account creation.
    For more information, see Initial Local Password Creation.

  • Minimum authentication settings vary by cloud IdP and environment.

Minimum Authentication Settings by Identity Provider

Identity Provider

Login Window

Menu Bar

Azure AD

  • Identity Provider

  • Client ID

  • Identity Provider

  • Client ID

Google Cloud ID

  • Identity Provider

  • Client ID

  • Client Secret

Not Supported

IBM Security Verify

  • Identity Provider

  • Client ID

  • Tenant ID

  • Identity Provider

  • Client ID

  • Tenant ID

Okta

  • Identity Provider

  • Auth Server

  • Identity Provider

  • Auth Server

OneLogin

  • Identity Provider

  • Client ID

  • Identity Provider

  • Client ID

  • Success Codes (If MFA is enabled)

PingFederate

  • Identity Provider

  • Client ID

  • Discovery URL

  • Identity Provider

  • Client ID

  • Discovery URL

Custom

  • Identity Provider

  • Client ID

  • Redirect URI

  • Discovery URL

  • Identity Provider

  • Client ID

  • Discovery URL

Login Window Authentication Settings

Domain: /Libary/Preferences/com.jamf.connect.login

Description: Used to allow Jamf Connect to complete authentication between your IdP and local accounts at the login window. Required settings vary by IdP.

Key

Description

Example

OIDCProvider

 

Identity Provider

Specifies your cloud identity provider. The following values are supported:

  • Azure

  • IBMCI

  • GoogleID

  • OneLogin

  • Okta

  • PingFederate

  • Custom

<key>OIDCProvider</key>

<string>Azure</string>

AuthServer

 

 

Auth Server

(Okta Only) Your organization's Okta domain URL.

<key>AuthServer</key>

<string>yourcompany.okta.com</string>

OIDCClientID

Client ID

The client ID of the Jamf Connect app in your IdP used to authenticate the user.

<key>OIDCClientID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

OIDCRedirectURI

Redirect URI

The redirect URI used by your Jamf Connect app in your IdP.

"https://127.0.0.1/jamfconnect" is recommended by default, but any URI value may be used as long as the configured value in your IdP matches the value in your Jamf Connect Login configuration profile.

<key>OIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

OIDCClientSecret

Client Secret

The client secret used by Jamf Connect Login and your IdP.

<key>OIDCClientSecret</key>

<string>insert-client-secret-here</string>

OIDCTenant

Tenant ID

Specifies the Tenant ID for your organization that's used for authentication.

<key>OIDCTenant</key>

<string>c27d1b33-59b3-4ab2-a5c9-23jf0093</string>

OIDCDiscoveryURL

Discovery URL

Your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: "https://domain.url.com/.well-known/openid-configuration"

Note: This key is required if the OIDCProvider key is set to "Custom".

<key>OIDCDiscoveryURL</key>

<string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>

Menu Bar Authentication Settings

Domain: com.jamf.connect

Dictionary: IdPSettings

Description: Used to allow Jamf Connect to complete authentication between your IdP and local accounts. Required settings vary by IdP.

Key

Description

Example

Provider

Identity Provider

(Required) The name of your cloud identity Provider. The following values are supported:

  • Azure

  • GoogleID

  • IBMCI

  • Okta

  • OneLogin

  • PingFederate

  • Custom

<key>Provider</key>

<string>Azure</key>

OktaAuthServer

Okta Auth Server

(Required: Okta Only) Your organization's Okta domain. A preceding "https://" is optional.

<key>OktaAuthServer</key>

<string>your-company.okta.com</string>

ROPGID

Client ID

(Required: OpenID Connect Only) The client ID of your Jamf Connect app in your IdP. This value allows Jamf Connect to complete a resource owner password grant (ROPG), which is the process that performs password verification.

<key>ROPGID</key>

<string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

DiscoveryURL

Discovery URL

Your IdP's OpenID Connect discovery endpoint. This value appears in the following format: " https://domain.url.com/.well-known/openid-configuration "

If using AD FS, this value is your AD FS domain combined with the following: \"/adfs/.well- known/openid-configuration\".

Note: This preference is required if you are using "Custom" or "PingFederate" as your IdP.

<key>DiscoveryURL</key>

<string>https://domain.url.com/.well-known/openid-configuration</string>

TenantID

Tenant ID

The Tenant ID for your organization that is used for authentication.

Note: If IBM Security Verify is your IdP, this value is required.

<key>TenantID</key>

<string>jamfconnect</string>

ChangePasswordURL

Change Password URL

A URL to a password change web page in your IdP

<key>ChangePasswordURL</key>

<string>https://idp.example.com/.well-known/change-password</string>

ResetPasswordURL

Reset Password URL

A URL to a password reset web page in your IdP

<key>ResetPasswordURL</key>

<string>https://idp.example.com/.well-known/reset-password</string>

ClientSecret

Client Secret

The client secret of your Jamf Connect app in your IdP.

<key>OIDCClientSecret</key>

<string>yourClientSecret</string>

SuccessCodes

Password Verification Success Codes

An array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Jamf Connect.

For possible error codes that may need to be configured in your environment, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes

If using OneLogin, set this key to "MFA", if multifactor authentication is used in your environment.

<key>SuccessCodes</key>

<array>

<string>AADSTS50012</string>

<string>AADSTS50131</string>

</array>

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.