Advanced Login Authentication Settings

Jamf Connect Documentation

Solution
Application: Jamf Connect
Content Type: Technical Documentation
Utilities & Services
ft:locale: en-US

Domain —com.jamf.connect.login
Description —
Used to configure advanced authentication settings and use custom claims in an ID token.


Setting	Description
Custom Okta Authorization Server `OIDCAuthServer`	(Okta Only) Specifies a custom authorization server in your Okta tenant, which can be used to send custom scopes and claims in a user's ID token (stored via the `OIDCIDTokenPath` setting) during local account creation. To set this value, use the custom authorization server ID, which can be found as a string at the end of your custom authorization server's issuer URI. In the issuer URI below `abc9o8wzkhckw9TLa0h7z` is the authorization server ID. Example:`https://your-custom-auth-server.okta.com/oauth2/abc8o8wzjhckw` To use this setting, you must create an Okta app integration to define user roles for the (`OIDCAccessClientID`) setting. Note: This setting should only be used if your Okta tenant has a separate authorization server that manages OpenID Connect apps and ID token attributes. If this setting is configured with the same value as your primary tenant used with the Auth Server (`AuthServer`) setting, authentication with Okta may cause unexpected errors. `<key>OIDCAuthServer</key> <string>abc8o8wzjhckw9TLa0t8q</string>` For more information about creating a custom authorization server, see the Create an authorization server documentation from Okta Developer.
Ignore Cookies `OIDCIgnoreCookies`	Ignores any cookies stored by the login window application `<key>OIDCIgnoreCookies</key> <false/>`
OpenID Connect Scopes `OIDCScopes`	Specifies custom scopes, which return additional claims in a user's ID token during authorization. Standard scopes include `openid`, `profile`, and `offline_access`. If you include multiple scopes, add a "+" to separate them. `<key>OIDCScopes</key> <string>openid+profile</string>`
Full Name `OIDCFullName`	Specifies a single different claim for full name, such as `firstName`, `lastName`, or another custom value unique to your environment. This setting overrides the default attributes used to set the full name for an account: `name`, `family_name/given_name`, and `first/last`. `<key>OIDCFullName</key> <string>customName</string>`
Short Name `OIDCShortName`	Specifies which claim from a user's ID token to use as the local macOS account name (short name). The user's network unique name (UPN prefix) is added as an alias to the user's local account. If the Connect existing local accounts to a network account (`Migrate`) setting is configured, the value defined by the Short Name (`OIDCShortName`) setting will appear as an alias for the existing local UNIX user account. The setting will not change the existing user's local account name. Note: If the claim you want to use is not in the standard ID token, you can receive additional claims in an ID token by specifying additional claims with the `OIDCScopes` preference key. `<key>OIDCShortName</key> <string>given_name</string>`
ROPG Short Name `OIDCROPGShortName`	Specifies which claim from an ID token to use as the username during the ROPG authentication (password verification) flow. Note: If the claim you want to use is not in the standard ID token, you can receive additional claims in an ID token by specifying additional claims with the `OIDCScopes` preference key. This setting is only used in complex IdP environments where the the IdP does not respect the claims used by Jamf Connect to define the username (e.g., `unique_name`, `preferred_username`, `email`, and `sub`) during the ROPG workflow. `<key>OIDCROPGShortName</key> <string>given_name</string>`
Formatted ID Token Path `OIDCIDTokenPath`	Specifies the file path that can be used to store a user's formatted ID token. Note: This setting requires that the RunScript mechanism is enabled. For more information, see Adding a Login Script. `<key>OIDCIDTokenPath</key> <string>/tmp/token</string>`
Raw ID Token Path `OIDCIDTokenPathRaw`	Specifies the file path that can be used to store a user's raw ID token. Note: This setting requires that the RunScript mechanism is enabled. For more information, see Adding a Login Script. `<key>OIDCIDTokenPathRaw</key> <string>/tmp/token-raw</string>`
`UseUserInfo`	(PingFederate only) When enabled (set to true), this setting allows Jamf Connect to request additional claims from a PingFederate user token. This setting should only be used if your are issuing an internally managed reference token from PingFederate. For more information about managing PingFederate, see OAuth configuration documentation from PingIdentity. `<key>UseUserInfo</key> <false/>`