Self Service+ Authentication Settings

Jamf Connect Documentation

Solution
Application: Jamf Connect
Content Type: Technical Documentation
Utilities & Services
ft:locale: en-US

Domain —com.jamf.connect
Dictionary —IdPSettings
Description —
Used to allow Self Service+ (formerly the Jamf Connect menu bar app) to complete authentication between your IdP and local accounts. Required settings vary by IdP.


Setting	Description
Identity Provider `Provider`	(Required) Specifies the name of your cloud identity provider. The following values are supported: EntraID (formerly Azure) IBMCI GoogleID Okta OktaIdentityEngine Okta OIDC OneLogin PingFederate Custom `<key>Provider</key> <string>Azure</string>`
Okta Auth Server `OktaAuthServer`	(Required: Okta Classic Engine or Okta Identity Engine) Specifies your organization's Okta domain or custom authorization server. A preceding "https://" is optional for domains. `<key>OktaAuthServer</key> <string>your-company.okta.com</string>`
Client ID `ROPGID`	(Required: OpenID Connect only) Specifies the client ID of your Self Service+ app in your IdP. This value allows Self Service+ to complete a resource owner password grant (ROPG), which is the process that performs password verification. `<key>ROPGID</key> <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>`
Discovery URL `DiscoveryURL`	Specifies your IdP's OpenID Connect discovery endpoint. This value appears in the following format: `https://domain.url.com/.well-known/openid-configuration` If using AD FS, this value is your AD FS domain combined with the following: /adfs/.well-known/openid-configuration/ Note: This setting is required if your Identity Provider (`OIDCProvider`) is set to `Custom` or `PingFederate`. `<key>DiscoveryURL</key> <string>https://domain.url.com/.well-known/openid-configuration</string>`
Tenant ID `TenantID`	Specifies the Tenant ID for your organization used for authentication. Note: If IBM Security Verify is your IdP, this value is required and matches the tenant name used in your IBM URL. (e.g. https://companyname.ibmcloud.com) `<key>TenantID</key> <string>companyname</string>`
Change Password URL `ChangePasswordURL`	Specifies a URL that opens a web page supported by your IdP where users may change their password. Note: If Entra ID is your IdP, the default URL is https://mysignins.microsoft.com/security-info/password/change. If Okta is your IdP, the default URL is the domain listed for the Okta Auth Server (`OktaAuthServer`) preference key followed by /enduser/settings. If Google Identity is your IdP, Jamf recommends using this URL: https://myaccount.google.com/intro/signinoptions/password Organizations with more customized Entra ID, Okta, or Google Identity environments may use custom URLs. `<key>ChangePasswordURL</key> <string>https://IDP_EXAMPLE.com/.well-known/change-password</string>`
Reset Password URL `ResetPasswordURL`	Specifies a URL that opens a web page supported by your IdP where users may reset their password if they forget it. Note: If Entra ID is your IdP, the default URL is https://passwordreset.microsoftonline.com/. If Okta is your IdP, the default URL is the domain listed for the Okta Auth Server (`OktaAuthServer`) preference key followed by /signin/forgot-password. If Google Identity is your IdP, Jamf recommends using this URL: Account recovery (Google) Organizations with more customized Entra ID, Okta, or Google Identity environments may use custom URLs. `<key>ResetPasswordURL</key> <string>https://IDP_EXAMPLE.com/.well-known/change-password</string>`
Client Secret `ClientSecret`	Specifies the client secret of your Self Service+ app in your IdP. `<key>ClientSecret</key> <string>yourClientSecret</string>`
Scopes `Scopes`	Specifies custom OIDC scopes, which return additional claims in a user's ID token during authorization. Standard scopes include `openid`, `profile`, and `offline_access`. If you include multiple scopes, use a "+" to separate them. `<key>Scopes</key> <string>openid+profile</string>`
Password Verification Success Codes `SuccessCodes`	Specifies an array of strings that contain error codes from your IdP during an ROPG password verification, which should be interpreted as successful by Self Service+. For possible error codes that may need to be configured in your environment, see the Microsoft Entra authentication and authorization error codes documentation from Microsoft. If you use OneLogin and multifactor authentication in your environment, set this key to MFA. `<key>SuccessCodes</key> <array> <string>AADSTS50012</string> <string>AADSTS50131</string> </array>`
License File `LicenseFile`	Specifies the contents of a Jamf Connect license file encoded in Base64 data format. License files are available from Jamf Account. `<key>LicenseFile</key> <data>encoded-license-content</data>`
Admin Attribute `OIDCAdminAttribute`	Specifies which attribute to use within the User Promotion Role (`UserPromotionRole`) setting for the Privilege Elevation feature. By default, Self Service+. uses the groups attribute to find any values specified in the Admin Roles (`OIDCAdmin`) setting. Note: If using Microsoft Entra ID, set this value to `roles`. If using Google Identity, user roles cannot be defined using an ID token. When configuring the Admin Attribute (`OIDCAdminAttribute`) setting manually, add the setting to the `IdPSettings` dictionary rather than the `TemporaryUserPermissions` dictionary. `<key>OIDCAdminAttribute</key> <string>groups</string>`