Federated Integrations

A federated integration is a hybrid identity solution that allows your cloud identity provider (IdP) to pass authentication to another authentication method, such as on-premise Active Directory Federate Services (AD FS).

If a federated integration with AD FS is implemented in your environment, you can configure Jamf Connect to work alongside your federated integration by configuring Jamf Connect to use different cloud and on-premise endpoints for authentication and password syncing.

  • Azure AD

    Use a registered app and endpoints in Azure AD to perform the authorization code grant that obtains access, refresh, and ID tokens from Azure AD.

  • AD FS

    Use an AD FS app and endpoints to perform the resource owner password grant (ROPG) that verifies the user's local username and password are synced with on-premise Active Directory

    To learn more about federated integrations with Azure AD, see the Azure AD Connect and federation documentation from Microsoft.

The following diagram shows how Jamf Connect can use both endpoints to create local accounts and sync passwords:

Configuring Jamf Connect with AD FS

Requirements
  1. Confirm that your Azure AD and AD FS environments are successfully configured and enabled for OpenID Connect authentication protocols.
  2. Add the following preference keys to your login window configuration profile:

    Key

    Description

    OIDCProvider

    Identity Provider

    Specifies Azure AD as your cloud IdP to use for authentication.

    <key>OIDCProvider</key>
    <string>Azure</string>

    OIDCClientID

    Client ID

    The client ID of the registered app in your IdP used to authenticate the user.

    <key>OIDCClientID</key>
    <string>8zcc52c7-ee36-4889-8517-lkjslkjoe23</string>

    OIDCNewPassword

    Create a Separate Local Password

    Prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.

    <key>OIDCNewPassword</key>
    <false/>

    ROPGProvider

    Identity Provider (Hybrid ID)

    Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom", which allows Jamf Connect to use AD FS.

    <key>ROPGProvider</key>
    <string>Custom</string>

    OIDCROPGID

    Client ID (Password Verification)

    The client ID of your Jamf Connect AD FS application.

    <key>OIDCROPGID</key>
    <string>86f07d1c-0ae4-437d-9fde-fcf165a5a965</string>

    ROPGRedirectURI

    Redirect URI (Hybrid ID)

    The redirect URI used by the created application in AD FS.

    <key>ROPGRedirectURI</key>
    <string>https://127.0.0.1/jamfconnect</string>

    ROPGDiscoveryURL

    Discovery URL (Hybrid ID)

    Specifies your OpenID Connect discovery endpoint. This value contains your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"

    <key>ROPGDiscoveryURL</key>
    <string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>
  3. Add the following IdPSettings dictionary keys to your menu bar configuration profile:

    Key

    Description

    Provider

    Identity Provider

    Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom", which allows Jamf Connect to use AD FS.

    <key>Provider</key>
    <string>Custom</key>

    DiscoveryURL

    Discovery URL

    Specifies your OpenID Connect discovery endpoint. This value contains your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"

    <key>DiscoveryURL</key>
<string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>

    ROPGID

    Client ID

    The client ID of your Jamf Connect AD FS application.

    <key>ROPGID</key>
<string>86f07d1c-0ae4-437d-9fde-fcf165a5a965</string>
  4. Test your configuration profiles with Jamf Connect Configuration or a test computer to confirm authentication is correctly configured.
  5. Save your configuration profiles.

You can now deploy the configuration profiles with an MDM solution.