Passthrough Authentication with Jamf Connect

Passthrough Authentication

Passthrough authentication with Jamf Connect allows the password entered by users in the login window web view to be sent to Jamf Connect for local authentication. This improves the login and account creation experience in the following ways:

  • Network and local authentication are completed without requiring users to re-enter a password. The Verify screen is skipped during during the login process.

    Note:

    Passthrough authentication with Google Cloud ID does not enforce or enable password syncing at the login window. When users with different network and local account passwords log in to their existing local account, users will continue to be prompted to enter both passwords to log in.

    To sync passwords for Google users, the menu bar app must be configured.

  • During local account creation, the network password is automatically used as the new local password. This ensures that the passwords match after account creation.

When passthrough authentication is enabled with the login window, user passwords entered in the login window web view are temporarily written to memory and used to log in or create a local account on computers. When Jamf Connect is finished with the user's password, the value is immediately overwritten as nil and deallocated from memory.

Enabling Passthrough Authentication

Passthrough authentication is not enabled by default and must be enabled in a Jamf Connect login window configuration profile.

Requirements

Passthrough authentication is only supported in IdP environments that use the OpenID Connect authentication protocol (IdP).

To enable passthrough authentication, use the Jamf Connect Configuration app or Jamf Pro's Application & Custom Settings payload to enable the Use Passthrough Authentication (OIDCUsePassthroughAuth) setting in a Jamf Connect login window configuration profile.
Azure AD, OneLogin, or PingFederate

Make sure the a Create a Separate Local Password (OIDCNewPassword) setting is to false or undefined.

<key>OIDCUsePassthroughAuth</key>
<true/>
<key>OIDCNewPassword</key>
<false/>
Google Cloud ID

Make sure the Create a Separate Local Password (OIDCNewPassword) setting is to true or undefined.

<key>OIDCUsePassthroughAuth</key>
<true/>
<key>OIDCNewPassword</key>
<true/>