Authentication Protocols

Integrating Jamf Connect with your identity provider (IdP) and creating a computer configuration profile requires an understanding of the authentication protocols that Jamf Connect uses to connect a user's cloud identity to their local account on the Mac.

Jamf Connect uses one of two different authentication protocols, depending on your cloud identity provider (IdP). Most IdPs must use the OpenID Connect authentication protocol with Jamf Connect, except Okta, which can use the Okta Authentication API.

OpenID Connect

Jamf Connect uses the OpenID Connect authentication protocol, which can be configured to support various types of authentication methods (grants) that dictate how the following components communicate:

  • Resource Owner—The user

  • Client App—Jamf Connect

  • Authentication Server—The cloud IdP

Jamf Connect uses the following OpenID Connect grant types:

  • Authorization Code Grant—Authenticates the user's cloud username and password in exchange for an authorization code, which Jamf Connect sends to your IdP token endpoint.

  • Resource Owner Password Grant (ROPG)—Authenticates the user's cloud username and password directly to your IdP's token endpoint. This authentication method is only used for password synchronization.

Authorization Code Grant

This grant type is used when Jamf Connect Login is used to either create a new local account on a computer or log in to an existing local account via cloud authentication.

images/download/attachments/80754754/Jamf_Connect_%28Authorization_Code_Grant%29.png

Authorization Code Grant and Resource Owner Password Grant (ROPG)

When Jamf Connect authenticates users and sync passwords with the login window and menu bar app, both grant types are used for authentication. If configured, Jamf Connect can create a local account that has the same password as the user's network password. The user is then prompted to sign in with the menu bar app to enable continuous password syncing.

images/download/attachments/80754078/Jamf_Connect_--_Code_and_ROPG_same_provider-4.png

Okta Authentication

Jamf Connect can use the Okta Authentication API to configure primary Jamf Connect tasks for users, such as the following:

  • Cloud authentication to a local account

  • Password synchronization

  • Signing in users to Okta

To learn more about this API, see the following developer documentation from Okta: https://developer.okta.com/docs/reference/api/authn/

Related Information

For related information about OpenID Connect, see the following resource from the OpenID Connect foundation: https://openid.net/specs/openid-connect-core-1_0.html

For related information about enabling OpenID Connect authentication and integrating your IdP with Jamf Connect, see the Identity Provider Integrations section of this guide.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.