For the OIDCAccessClientID and OIDCAdminClientID keys in your plist, you need the Client IDs of the apps you created in Okta not the names. A Client ID will look something like 0oabtovodgiI1Anjh357.
After logging in to the user account, take a look at the Connect login logs by going to "/private/tmp/jamf_login.log", or, in Terminal run "log show --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug --last 30m > ~/Desktop/JamfConnectLogin.log"
In the log files you're looking for mentions of messages similar to the following:
OIDC lookup working...
Processing Okta ID Token
OIDC lookup completed.
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup
For the OIDCAccessClientID and OIDCAdminClientID keys in your plist, you need the Client IDs of the apps you created in Okta not the names. A Client ID will look something like 0oabtovodgiI1Anjh357.
Hi @talkingmoose ,
Thanks for your reply.
I do have the correct client ID's but I've replaced them in this code snipped for privacy reasons.
After logging in to the user account, take a look at the Connect login logs by going to "/private/tmp/jamf_login.log", or, in Terminal run "log show --style compact --predicate 'subsystem == "com.jamf.connect.login"' --debug --last 30m > ~/Desktop/JamfConnectLogin.log"
In the log files you're looking for mentions of messages similar to the following:
OIDC lookup working...
Processing Okta ID Token
OIDC lookup completed.
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup
Hi @mikevandelinder ,
Good tip. I should have looked there sooner.
I do find:
...
Found managed preference in com.jamf.connect.login: OIDCAccessClientID
...
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup
So based on the logs:
- Is it correct to say it does find me in both the Access app and the Admin app?
- It should give me admin access, right?
Julien
Hi @mikevandelinder ,
Good tip. I should have looked there sooner.
I do find:
...
Found managed preference in com.jamf.connect.login: OIDCAccessClientID
...
Found managed preference in com.jamf.connect.login: OIDCAdminClientID
OIDC lookup working...
OIDC lookup completed.
User granted standard access by OIDC lookup
So based on the logs:
- Is it correct to say it does find me in both the Access app and the Admin app?
- It should give me admin access, right?
Julien
if it is coming back saying "standard" access, I would suspect the lookup isn't finding the user to be a member of the Admin client app group - any way to confirm via Okta?
if it is coming back saying "standard" access, I would suspect the lookup isn't finding the user to be a member of the Admin client app group - any way to confirm via Okta?
Argh, I misinterpreted the logs then, I thought it did find the user in the Admin app.
The configuration is good and I re-copied everything to make sure but I'll try re-creating the admin app and see if it makes a difference.
Maybe reinstalling the machine might help too.
Thanks, this is already taking me a step further.
Julien
Argh, I misinterpreted the logs then, I thought it did find the user in the Admin app.
The configuration is good and I re-copied everything to make sure but I'll try re-creating the admin app and see if it makes a difference.
Maybe reinstalling the machine might help too.
Thanks, this is already taking me a step further.
Julien
FYI: https://community.jamf.com/t5/jamf-connect/jamf-connect-2-4-4-release/m-p/245960/highlight/true#M1106
