Integrating with Okta

Since Jamf Connect authenticates Okta users directly to your domain using Okta's authentication API, you do not need to perform any additional tasks in the Okta admin console to enable authentication and password syncing.

If you want to determine if users are created with standard or local accounts with Jamf Connect, you can create app integrations in Okta for standard users and administrators, and then assign users to the apps as needed. Jamf Connect will then use the app a user is assigned to create the correct local account.

Integrating with Okta to Define User Roles

Creating an Application Integration

  1. Log in to the Okta Admin Console.

    Note: Make sure your Okta console is displayed in the Classic UI version.

  2. Click Applications.

  3. Click Add Application, and then click Create New App.

  4. Do the following in the Create a New Application Integration window:

    1. Select "Native App" from the Platform pop-up menu.

    2. Select OpenID Connect.

    3. Click Create.

  5. Do the following on the Create OpenID Connect Integration page:

    1. Enter a name for your app, such as "Jamf Connect", in the Application name field.

    2. (Optional) Upload an application logo.

    3. Enter a valid URI, such as "https://127.0.0.1/jamfconnect", in the Login redirect URIs field.

    4. Click Save.

Modifying Grant Types

  1. Select your newly created Jamf Connect app.

  2. Do the following in the General pane:

    1. Select Implicit (Hybrid) under Allowed Grant Type

    2. Select Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.

    3. Click Save.

If you want to determine if users are created as standard or admin users during local account creation with Jamf Connect, repeat this process to yield two app integrations for Jamf Connect: one for standard users and the other for admin users.

Assigning Users and Groups

You must assign users and groups to your Jamf Connect app.

For instructions, see the following documentation from Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps_Page.htm

Note: If you created two app integrations for Jamf Connect, assign all standard users to one app, and all admin users to both apps. These apps will be specified with OIDCAccessClientID and OIDCAdminClientID preference keys in your Jamf Connect Login configuration profile.

Enabling Multifactor Authentication

If you want to enable multifactor authentication (MFA) for users, you must enable MFA at the organization level rather than the app level. To enable MFA, navigate to Security > Authentication > Sign On in the Okta Admin Dashboard, and then create a new Sign On policy.

Disclaimer: Jamf Connect Login may allow users with the same username and password to log in to the incorrect local account. To ensure users can only log in to their account, a multifactor authentication (MFA) method is recommended. Jamf does not accept any responsibility or liability for any damages or security exploitations due to identically provisioned account credentials.

Note: Enabling MFA at the app level is not recommended and may cause errors in Jamf Connect.

For more information about Okta MFA, see the following Okta documentation:

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.