OpenID Connect User Role Settings

Jamf Connect Documentation

Solution
Application: Jamf Connect
Content Type: Technical Documentation
Utilities & Services
ft:locale: en-US

Domain —com.jamf.connect.login
Description —
Used to configure user roles from ID token attributes receive from an OpenID Connect authentication


Setting	Description
Admin Attribute `OIDCAdminAttribute`	Specifies which attribute stored in an ID token is used to determine if a standard or administrator local account should be created for a user. By default, Jamf Connect uses the groups attribute to find any values specified in the Admin Roles (`OIDCAdmin`) setting. Note: If using Microsoft Entra ID, set this value to `roles`. If using Google Identity, user roles cannot be defined using an ID token. `<key>OIDCAdminAttribute</key> <string>groups</string>`
Admin Roles `OIDCAdmin`	Specifies which user roles (or groups) configured in your IdP become local administrators during account creation. You can specify one role or more roles as an array of strings. Jamf Connect looks for these values in the "groups" attribute of the ID token by default unless the Admin Attribute (`OIDCAdminAttribute`) setting is configured. Note: If using Okta Identity Engine, the OpenID Connect Scopes (`OIDCScopes`) setting must be specified with the following scope: `openid profile email groups`. Okta requires space delimiters in the scope request instead of a `+`. If using Google Identity, user roles cannot be defined using an ID token. `<key>OIDCAdmin</key> <array> <string>role-one</string> <string>role-two</string> <string>role-three</string> <string>role-four</string> </array>`
Ignore Roles `OIDCIgnoreAdmin`	When enabled (set to true), Jamf Connect Login ignores any roles that exist in your IdP. This setting ensures local user accounts maintain their current status as either an administrator or standard account. When disabled (set to false) or unspecified, Jamf Connect Login reads the `OIDCAdmin` setting for configured roles and will change a local user account status based on any roles in your IdP. `<key>OIDCIgnoreAdmin</key> <false/>`
Secondary Access Group `OIDCSecondaryAccess`	Specify user roles (or groups) to determine if a user is allowed to create additional users on computers after the first local account is created. Jamf Connect looks for these values in the `role` attribute of the ID token when `OIDCProvider` is set to `Azure` or `EntraID`. Jamf Connect looks for these values in the `OIDCAdminAttribute` attribute of the ID token for all other OIDC providers. Note: If using Okta Identity Engine, the OpenID Connect Scopes (`OIDCScopes`) setting must be specified with the following scope: `openid profile email groups`. Okta requires space delimiters in the scope request instead of a `+`. `<key>OIDCSecondaryAccess</key> <array> <string>IT</string> </array>`
Ignore Local Accounts for Secondary Access `ExistingUsersHide`	Specify the local user account names (such as IT service accounts) to ignore when Jamf Connect determines blocking new account provisioning based on the secondary access feature. Can be used in conjunction with Secondary Login Client ID (`OIDCSecondaryLoginClientID`) for Okta Classic or Secondary Access Group (`OIDCSecondaryAccess`) for all other identity providers. `<key>ExistingUsersHide</key> <array> <string>it-admin</string> </array>`