Discovery URL Endpoints for OpenID Connect Authentication

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
Jamf Connect uses your cloud identity provider's (IdP) discovery endpoint during the OpenID Connect authentication process. Depending on your IdP and configuration profile settings, Jamf Connect uses the following sequence to find a discovery URL endpoint value:

  1. A Discovery URL value in a Jamf Connect configuration profile. If configured, this value will override Jamf Connect's pre-configured discovery URL values for your IdP. This option is required for PingFederate and custom IdP options.

  2. Automatically construct a discovery URL using a Tenant ID value in a Jamf Connect configuration profile. This option is required for IBM Security Verify and OneLogin.

  3. Automatically use a default discovery URL that is pre-configured in Jamf Connect. This option is used by Microsoft Entra ID and Google Cloud ID.

To ensure authentication with Jamf Connect does not use an invalid discovery URL, make sure you do the following:

  • If you are using an identity provider other than PingFederate or a custom option, make sure discovery URL key-value pairs are either not configured or match the discovery endpoint documented by your IdP.

  • If you use Jamf Connect with Microsoft Entra ID in an AD FS hybrid identity environment, in addition to making sure theDiscovery URL (OIDCDiscoveryURL) is not configured, make sure the Discovery URL (Hybrid ID) ( ROPGDiscoveryURL) uses your AD FS discovery endpoint.