Microsoft Entra ID Hybrid ID Settings

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  • Domain —com.jamf.connect.login
  • Description —

    Used configure authentication and password syncing for Microsoft Entra ID hybrid identity environments.

Setting

Description

Identity Provider (Hybrid ID)

ROPGProvider

Specifies where Jamf Connect should attempt to sync passwords. The following values are supported:

  • Custom
  • Azure_v2
 
<key>ROPGProvider</key>
<string>Azure_v2</string>

Tenant ID (Hybrid ID)

ROPGTenant

Specifies the tenant ID in your organization to use for password verification.

<key>ROPGTenant</key>
<string>15e7196d-8bd5-4034-ae01-7bda4ad0c91e</string>

Discovery URL (Hybrid ID)

ROPGDiscoveryURL

Specifies your OpenID Connect discovery endpoint. If using AD FS, this value is your AD FS domain combined with the following: "/adfs/.well-known/openid-configuration"

Note:

This key is required if you set the ROPGProvider key to "Custom".

<key>ROPGDiscoveryURL</key>
<string>https://adfs.jamfconnect.com/adfs/.well-known/openid-configuration</string>

 

Redirect URI (Hybrid ID)

ROPGRedirectURI

Specifies the redirect URI used by the created application in AD FS or Microsoft Entra ID.

https://127.0.0.1/jamfconnect is recommended by default, but any valid URI value may be used as long as the configured value in Microsoft Entra ID or AD FS matches the value in your Jamf Connect Login configuration profile.

<key>ROPGRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>

Client Secret (Hybrid ID)

ROPGClientSecret

Specifies the client secret of your Jamf Connect application. Consider the following scenarios when configuring client secrets:

  • If you are using the same client secret for both ROPG and the authorization grant with Microsoft Entra ID, do not set this setting. Jamf Connect Login will use the secret set with the OIDCClientSecret setting for both authentication and password verification.
  • If you are not using a client secret for ROPG authentication, set this value to NONE.
  • If using a different client secret for each authentication process, set both the OIDCClientSecret and ROPGClientSecret settings to their respective values.
<key>ROPGClientSecret</key>
<string>your-client-secret</string>

ROPG Scopes (Hybrid ID)

ROPGScopes

Specifies custom scopes, which can return additional claims in a user's ID token during authorization. Standard scopes include \"openid\", \"profile\", and \"offline_access\". This key should be configured as a string with space-separated values.
<key>ROPGScopes</key>
<string>openid, profile</string>