Federated Integrations
A federated integration is a hybrid identity solution that allows your cloud identity provider (IdP) to pass authentication to another authentication method, such as on-premise Active Directory Federate Services (AD FS).
If a federated integration with AD FS is implemented in your environment, you can configure Jamf Connect to work alongside your federated integration by configuring Jamf Connect to use different cloud and on-premise endpoints for authentication and password syncing.
-
Azure AD—Use a registered app and endpoints in Azure AD to perform the authorization code grant that obtains access, refresh, and ID tokens from Azure AD.
-
AD FS—Use an AD FS app and endpoints to perform the resource owner password grant (ROPG) that verifies the user's local username and password are synced with on-premise Active Directory
To learn more about federated integrations with Azure AD, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-whatis
Configuring Jamf Connect with AD FS
Requirements
-
A Jamf Connect registered app in Azure AD
For instructions, see Identity Provider Integrations. -
A Jamf Connect application in AD FS
For instructions, see the following documentation from Microsoft: https://docs.microsoft.com/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs -
Azure AD Connect
-
Windows Server 2016 (includes AD FS 4.0) or later
Procedure
-
Confirm that your Azure AD and AD FS environments are successfully configured and enabled for OpenID Connect authentication protocols.
-
Add the following preference keys to your login window configuration profile:
Key
Description
Example
OIDCProvider
Identity Provider
Specifies Azure AD as your cloud IdP to use for authentication.
<key>OIDCProvider</key>
<string>Azure</string>OIDCClientID
Client ID
The client ID of the registered app in your IdP used to authenticate the user.
<key>OIDCClientID</key>
<string>8zcc52c7-ee36-4889-8517-lkjslkjoe23</string>OIDCNewPassword
Create a Separate Local Password
Prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.
<key>OIDCNewPassword</key>
<false/>ROPGProvider
Identity Provider (Password Verification)
Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom", which allows Jamf Connect to use AD FS.
<key>ROPGProvider</key>
<string>Custom</string>OIDCROPGID
Client ID (Password Verification)
The client ID of your Jamf Connect AD FS application.
<key>OIDCROPGID</key>
<string>86f07d1c-0ae4-437d-9fde-fcf165a5a965</string>ROPGRedirectURI
Redirect URI (Password Verification)
The redirect URI used by the created application in AD FS.
<key>ROPGRedirectURI</key>
<string> https://127.0.0.1/jamfconnect</string>ROPGDiscoveryURL
Discovery URL (Password Verification)
Specifies your OpenID Connect discovery endpoint. This value contains your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"
<key>ROPGDiscoveryURL</key>
<string> https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string> -
Add the following IdPSettings dictionary keys to your menu bar configuration profile:
Key
Description
Example
Provider
Identity Provider
Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom", which allows Jamf Connect to use AD FS.
<key>Provider</key>
<string>Custom</key>
DiscoveryURL
Discovery URL
Specifies your OpenID Connect discovery endpoint. This value contains your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"
<key>DiscoveryURL</key>
<string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>ROPGID
Client ID
The client ID of your Jamf Connect AD FS application.
<key>ROPGID</key>
<string>86f07d1c-0ae4-437d-9fde-fcf165a5a965</string> -
Test your configuration profiles with Jamf Connect Configuration or a test computer to confirm authentication is correctly configured.
-
Save your configuration profiles.
You can now deploy the configuration profiles with an MDM solution.
Related Information
For related information, see the following:
For related information about using this procedure with PingFederate as a federated integration, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-install-custom#configuring-federation-with-pingfederate