Password Hash Synchronization and Pass-through Authentication

Password hash synchronization and pass-through authentication are authentications method that can be implemented in an Azure AD hybrid identity environment. They establish trust between Azure AD and Active Directory and can sync passwords between them in the following ways:

  • Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords.

  • Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.

If you are using one of these authentication methods, you can configure Jamf Connect to work alongside either method by configuring Jamf Connect to use the Microsoft identity platform (v2.0) endpoints for authentication. This allows Jamf Connect to use Azure AD to authenticate users at the login window and indirectly sync a user's local password with their Active Directory password.

For more information about the Microsoft identity platform (v2.0), see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/azure-ad-endpoint-comparison

Configuring Jamf Connect with Password Hash Synchronization or Pass-through Authentication Environments

Requirements

  • A Jamf Connect registered app in Azure AD
    For instructions, see Identity Provider Integrations.

  • Azure AD Connect

  • User credentials that are stored in Active Directory

Procedure

  1. Confirm that your Azure AD environment is using password hash synchronization or pass-through authentication and that Azure AD Connect set up correctly.

  2. Add the following preference keys to your /Library/Preferences/com.jamf.connect.login configuration profile to configure authentication at the login window:

    Key

    Description

    Example

    OIDCProvider

    Identity Provider

    Specifies Azure AD as your cloud IdP to use for authentication

    <key>OIDCProvider</key>
    <string>Azure</string>

    OIDCClientID

    Client ID

    The client ID of the Jamf Connect registered app

    <key>OIDCClientID</key>
    <string>5fse52c7-bb36-4889-8517-lkjslkjoe23</string>

    OIDCNewPassword

    Create a Separate Local Password

    Prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.

    <key>OIDCNewPassword</key>
    <false/>

    ROPGProvider

    Identity Provider (Password Verification)

    Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Azure_v2", which allows Jamf Connect to use the Microsoft identity platform (v2.0) endpoints for password verification.

    <key>ROPGProvider</key>
    <string>Azure_v2</string>

    OIDCROPGID

    Client ID (Password Verification)

    The client ID of the Jamf Connect registered app. This should be the same value as the OIDCClientID preference key.

    <key>OIDCROPGID</key>
    <string>5fse52c7-bb36-4889-8517-lkjslkjoe23</string>

    ROPGTenant

    Tenant ID (Password Verification)

    The tenant ID in your organization to use for password verification.

    <key>ROPGTenant</key>
    <string>15e7196d-8bd5-4034-ae01-7bda4ad0c91e</string>


  3. Add the following IdPSettings dictionary keys to your com.jamf.connect configuration profile to configure password syncing with the menu bar app:

    Key

    Description

    Setting

    Provider

    Identity Provider

    Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom".

    <key>Provider</key>

    <string>Custom</key>

    ROPGID

    Client ID

    The client ID of your Jamf Connect app in your IdP. This value allows Jamf Connect to complete a resource owner password grant (ROPG), which is the process that performs password verification.

    <key>ROPGID</key>

    <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

    DiscoveryURL

    Discovery URL

    Specifies your OpenID Connect discovery endpoint.

    <key>DiscoveryURL</key>

    <string>https://domain.url.com/.well-known/openid-configuration</string>

  4. Test your configuration profiles with Jamf Connect Configuration or a test computer to confirm authentication is correctly configured.

  5. Save your configuration profiles.

You can now deploy your configuration profiles with an MDM solution. For more information, see Deployment.

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.