After the removal of all previous IdP information, the Jamf Connect login window can be re-configured and deployed with the new identity provider information to complete the change.
The Jamf Connect login window must be disabled and all previous IdP attributes must be removed from your computers.
Deploy a new configuration for the Jamf Connect login window with the settings for the new identity provider. Include the Connect existing local accounts to a network account (Migrate) setting set to true. For more information on configuring Jamf Connect or account migration, see Configuration Methods for Jamf Connect and Local Account Migration.
In your existing Jamf Pro policy or Terminal, run the command /usr/local/bin/authchanger -reset -JamfConnect to re-enable the Jamf Connect login window.
Inform users in your organization to log out and then log in with the new IdP. If FileVault disk encryption is enabled on the computer, the user must navigate to the Apple button in the menu bar and select Log out [current user].... Upon logging out, the computer should not be powered down or restarted before logging in through the new identity provider. See Turning On FileVault with Jamf Connect for details on the user experience with FileVault.
If the short name used by the identity provider matches the existing short name (e.g. user local UNIX short name is edith.mackenzie and the user's identity provider user name is edith.mackenzie@example.com), the user will be migrated silently.
If the short names do not match, the user will be asked to select a local account to adopt.
See Existing Local Account Migrations for more information.