Authentication Settings

You must configure and deploy authentication settings via a computer configuration profile. These settings allow Jamf Connect to authenticate at the login window and the menu bar app, as well as establish a connection between local user accounts on the Mac and a cloud identity provider (IdP).

Keep the following in mind when configuring authentication settings with Jamf Connect:

  • Authentication settings for the Jamf Connect menu bar app are contained in the IdPSettings dictionary class.

  • If using both the menu bar and login window in your environment, configuring Jamf Connect to create an initial password using a user's network account is recommended. This ensures users are not prompted to change their password immediately after account creation.
 For more information, see Initial Local Password Creation.

  • Minimum authentication settings vary by cloud IdP and environment.

Minimum Authentication Settings by Identity Provider

The following lists the minimum authentication settings needed to use Jamf Connect with each supported identity provider.

Identity Provider

Login Window

Menu Bar App

Azure AD

  • Identity Provider
  • Client ID
  • Identity Provider
  • Client ID

Google Cloud ID

  • Identity Provider
  • Client ID
  • Client Secret

Not Supported

IBM Security Verify

  • Identity Provider
  • Client ID
  • Tenant ID
  • Identity Provider
  • Client ID
  • Tenant ID

Okta

  • Identity Provider
  • Auth Server
  • Identity Provider
  • Auth Server

OneLogin

  • Identity Provider
  • Client ID
  • Tenant ID
  • Success Codes (If MFA is enabled)
  • Identity Provider
  • Client ID
  • Tenant ID
  • Success Codes (If MFA is enabled)

PingFederate

  • Identity Provider
  • Client ID
  • Discovery URL
  • Identity Provider
  • Client ID
  • Discovery URL

Custom

  • Identity Provider
  • Client ID
  • Redirect URI
  • Discovery URL
  • Identity Provider
  • Client ID
  • Discovery URL

Discovery URL Endpoints for OpenID Connect Authentication

Jamf Connect uses your cloud identity provider's (IdP) discovery endpoint during the OpenID Connect authentication process. Depending on your IdP and configuration profile settings, Jamf Connect uses the following sequence to find a discovery URL endpoint value:
  1. A Discovery URL value in a Jamf Connect configuration profile. If configured, this value will override Jamf Connect's pre-configured discovery URL values for your IdP. This option is required for PingFederate and custom IdP options.

  2. Automatically construct a discovery URL using a Tenant ID value in a Jamf Connect configuration profile. This option is required for IBM Security Verify and OneLogin.

  3. Automatically use a default discovery URL that is pre-configured in Jamf Connect. This option is used by Azure AD and Google Cloud ID.

To ensure authentication with Jamf Connect does not use an invalid discovery URL, make sure you do the following:
  • If you are using an identity provider other than PingFederate or a custom option, make sure discovery URL key-value pairs are either not configured or match the discovery endpoint documented by your IdP.

  • If you use Jamf Connect with Azure AD in an AD FS hybrid identity environment, in addition to making sure theDiscovery URL (OIDCDiscoveryURL) is not configured, make sure the Discovery URL (Hybrid ID) ( ROPGDiscoveryURL) uses your AD FS discovery endpoint.

Identity Provider Discovery Endpoints

The following table lists the URLs that should be safelisted on computers in your environment in order for Jamf Connect to authenticate:
Azure AD (Microsoft Identity Platform)
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
Note:

If you have a Tenant ID configured, replace "common" in the URL above with your OIDCTenant value.

Azure AD
https://login.microsoftonline.com/common/.well-known/openid-configuration
Note:

If you have a Tenant ID configured, replace "common" in the URL above with your OIDCTenant value.

Google Cloud ID

https://accounts.google.com/.well-known/openid-configuration

IBM Security Verify

https://yourtenant.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration

Okta (OpenID Connect authentication)

https://yourtenant.okta.com/.well-known/openid-configuration

OneLogin

https://yourtenant.onelogin.com/oidc/2/.well-known/openid-configuration