Integrating with a Custom Identity Provider

If your organization uses a cloud identity provider (IdP) that is not natively supported by Jamf Connect, you can use the Custom IdP option to integrate with any IdP solution that supports the OpenID Connect authentication protocol.

Requirements

An identity provider that supports the OpenID Connect authentication protocol.

  1. Complete your IdP's instructions to create an OpenID Connect application integration that generates the following values.
    • Client ID

      A unique identifier for your Jamf Connect application integration.

    • Redirect URI

      A URL used to redirect users during the authentication process.

      For authentication on macOS via the login window and menu bar app, https://127.0.0.1/jamfconnect is recommended.

      For authentication on iOS via the Jamf Unlock, jamfunlock://callback/auth is recommended.

    • Discovery URL

      Your IdP's OpenID metadata document that stores OpenID configuration information. This value appears in the following format: https://domain.url.com/.well-known/openid-configuration

  2. Make sure the following grant types are enabled in your IdP:
    • Authorization Code Grant

      Authenticates the user's cloud username and password in exchange for an authorization code, which Jamf Connect sends to your IdP token endpoint.

    • Resource Owner Password Grant (ROPG)

      Authenticates the user's cloud username and password directly to your IdP's token endpoint. This authentication method is only used for password synchronization.

  3. Create a Jamf Connect configuration profile for the login window and menu bar app that uses the values from your app integration in your IdP.
    Make sure login window and menu bar app settings are written to their respective preference domains:
    • com.jamf.connect.login

    • com.jamf.connect

    The following settings are required:

    Login Window
    • Identity Provider
    • Client ID
    • Redirect URI
    • Discovery URL
    Menu Bar App
    • Identity Provider
    • Client ID
    • Discovery URL

    The Identity Provider setting must be set to Custom.

Your custom IdP should be integrated with Jamf Connect, and your configuration profiles should look similar to the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>OIDCProvider</key>
        <string>Custom</string>
        <key>OIDCROPGID</key>
        <string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>
        <key>OIDCClientID</key>
        <string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>
        <key>OIDCRedirectURI</key>
        <string>https://127.0.0.1/jamfconnect</string>
        <key>OIDCDiscoveryURL</key>
        <string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>
        <key>OIDCNewPassword</key>
        <false/>
     </dict>   
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>IdPSettings</key>
	<dict>
		<key>DiscoveryURL</key>
		<string>https://identity-provider-example-address.com/.well-known/openid-configuration</string>
		<key>Provider</key>
		<string>Custom</string>
		<key>ROPGID</key>
		<string>3bdd52c7-ee36-4689-8517-c5fed2c98s5</string>
	</dict>
</dict>
</plist>