Hey Guys,
I have MFA setup in Onelogin for my Jamf Connect app. The Onelogin activity log shows an error that MFA is set on the Onelogin side.
I opened a case with JAMF support and they say that I need the success codes in my PLIST, but they don't know what those should be. I opened a case with Onelogin, and they said that the OIDC standard doesn't support MFA.
Anybody have this working? My intent is to have MFA presented upon MAC login.
Thanks for your thoughts!
Check these blog posts out, it's what I followed when setting things up:
https://travellingtechguy.blog/?s=onelogin
Sounds like you're heading in the right direction and what you need to add is the `SuccessCode` to `MFA`.
<key>SuccessCodes</key>
<array>
<string>MFA</string>
</array>
Check these blog posts out, it's what I followed when setting things up:
https://travellingtechguy.blog/?s=onelogin
Sounds like you're heading in the right direction and what you need to add is the `SuccessCode` to `MFA`.
<key>SuccessCodes</key>
<array>
<string>MFA</string>
</array>
Hey Kendall,
Thanks for the reply. I have that key already in my plist file.
Is it possible the passthrough key is messing me up?
Oh, my apologies. I totally misread your issue.
Yes, we are seeing the exact same errors in logs and have been for months. From what I can tell, everything is working so it is just a false alert within OneLogin's event logs. Is MFA not working within Jamf Connect Login?
@jbresee I had the exact same issue as you and troubleshooted with OneLogin for an hour and we found that in our MFA bypass Security profile there was an option hidden by OneLogin to Skip User Policy MFA. You will have to talk to OneLogin support and have them enable the "Skip User Policy MFA" button for your JAMF Connect MFA Bypass App Security Policy. Then you can select the button under "Forced Authentication or Skip User Policy MFA". That worked for me. However this is just one way of fixing it. Jamfs way is still broken as it does not bypass MFA using the PLIST. But if you dont care about that and only dont want MFA prompts than this will work for you. I have. ticket in with JAMF about the PLIST not working properly.
Oh, my apologies. I totally misread your issue.
Yes, we are seeing the exact same errors in logs and have been for months. From what I can tell, everything is working so it is just a false alert within OneLogin's event logs. Is MFA not working within Jamf Connect Login?
Yeah, MFA request isn't being raised by JAMF connect, but login to the Mac is allowed.
@jbresee I had the exact same issue as you and troubleshooted with OneLogin for an hour and we found that in our MFA bypass Security profile there was an option hidden by OneLogin to Skip User Policy MFA. You will have to talk to OneLogin support and have them enable the "Skip User Policy MFA" button for your JAMF Connect MFA Bypass App Security Policy. Then you can select the button under "Forced Authentication or Skip User Policy MFA". That worked for me. However this is just one way of fixing it. Jamfs way is still broken as it does not bypass MFA using the PLIST. But if you dont care about that and only dont want MFA prompts than this will work for you. I have. ticket in with JAMF about the PLIST not working properly.
I'm not sure I'm following your suggestion. Right now, Jamf connect will allow the user to log into the mac without asking for the 2nd MFA factor. My goal is to have the user enter the 2nd factor.
It sounds like what you are suggesting would allow them not to use MFA - am I reading that right?
I'm not sure I'm following your suggestion. Right now, Jamf connect will allow the user to log into the mac without asking for the 2nd MFA factor. My goal is to have the user enter the 2nd factor.
It sounds like what you are suggesting would allow them not to use MFA - am I reading that right?
I see, then it is something jamf needs to fix. This is from my ticket with them about the MFA key not working. Either not being sent correctly or not being recieved correctly by onelogin.
"Thanks for providing the clarification on what is currently happening. At this point I am going have this case escalated. I am not sure based off everything else that we have collected and reviewed where to go to further narrow this issue down. Looking at your previous Jamf Connect configuration they appear to be set up correctly with the MFA Key. I appreciate all your communication and time on these issues. They will be reaching out soon."
Hey @jbresee ,
This is what I got from Jamf support:
{These failures in OneLogin are expected if MFA is currently enabled in the idP, as Jamf Connect does not prompt for MFA. When Jamf Connect detects the idP failure, it uses an "SuccessCodes" to continue with the operation.
The reason Jamf Connect does not prompt for MFA is because end-users would be prompted every 15 minutes for MFA to ensure the passwords are in sync. By using ROPG, the password check happens silently in the background without any end-user interaction.}
It looks like this is just the way it works and not a bug unfortunately.
Hey @jbresee ,
This is what I got from Jamf support:
{These failures in OneLogin are expected if MFA is currently enabled in the idP, as Jamf Connect does not prompt for MFA. When Jamf Connect detects the idP failure, it uses an "SuccessCodes" to continue with the operation.
The reason Jamf Connect does not prompt for MFA is because end-users would be prompted every 15 minutes for MFA to ensure the passwords are in sync. By using ROPG, the password check happens silently in the background without any end-user interaction.}
It looks like this is just the way it works and not a bug unfortunately.
Ahhhh... OK. So I can just ignore the errors on the Onelogin side.
It seems like a pretty big miss that JAMF connect doesn't support MFA for Mac login.
Hello Everyone,
When we signed into Jamf Connect menubar we're getting MFA error, does anyone have a idea about this error.
Attached the screenshot for reference.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.