Authentication Protocols

Integrating Jamf Connect with your identity provider (IdP) and creating a computer configuration profile requires an understanding of the authentication protocols that Jamf Connect uses to connect a user's cloud identity to their local account on the Mac.

Jamf Connect uses one of two different authentication protocols, depending on your cloud identity provider (IdP). Most IdPs must use the OpenID Connect authentication protocol with Jamf Connect, except Okta, which can use the Okta Authentication API.

OpenID Connect

Jamf Connect uses the OpenID Connect authentication protocol, which can be configured to support various types of authentication methods (grants) that dictate how the following components communicate:

  • Resource Owner

    The user

  • Client App

    Jamf Connect

  • Authentication Server

    The cloud IdP

Jamf Connect uses the following OpenID Connect grant types:

  • Authorization Code Grant

    Authenticates the user's cloud username and password in exchange for an authorization code, which Jamf Connect sends to your IdP token endpoint.

  • Resource Owner Password Grant (ROPG)

    Authenticates the user's cloud username and password directly to your IdP's token endpoint. This authentication method is only used for password synchronization.

Authorization Code Grant

This grant type is used when Jamf Connect Login is used to either create a new local account on a computer or log in to an existing local account via cloud authentication.

Authorization Code Grant and Resource Owner Password Grant (ROPG)

When Jamf Connect authenticates users and sync passwords with the login window and menu bar app, both grant types are used for authentication. If configured, Jamf Connect can create a local account that has the same password as the user's network password. The user is then prompted to sign in with the menu bar app to enable continuous password syncing.

For related information about OpenID Connect, see this documentation from the OpenID Connect foundation.

Okta Authentication

Jamf Connect can use the Okta Authentication API to configure primary Jamf Connect tasks for users, such as the following:

  • Cloud authentication to a local account

  • Password synchronization

  • Signing in users to Okta

To learn more about this API, see the Authentication API developer documentation from Okta.