Help

Jamf Connect Login Timeout with Okta / AD

graines
New Contributor II

Posted on ‎03-04-2021 11:21 AM

Hey all,

For quick context, we use Jamf Connect with Okta as our IdP, backed by AD, and Duo for MFA.

I'm seeing a 90 second timeout during a user's first sign in to a new machine using Jamf Connect. If a user doesn't complete the initial Okta sign in, Duo set up, and Okta password change within 90 seconds, they get kicked back out to the initial Jamf Connect login prompt. Has anyone else come across a similar issue?

I've checked Okta, Duo, and AD (password and kerberos settings) for timeouts, but I can't find any that are relevant here. Wondering if it's a timeout in the JC auth mechanism?

Using JC 2.1.3 but seeing the same with the latest 2.x.x as well.

Labels:
Reply
4 REPLIES 4

graines
New Contributor II

Posted on ‎03-04-2021 03:56 PM

I believe I've found the smoking gun in the Jamf Connect login log:

Thu Mar 04 15:55:38 [com.jamf.connect.login] - Info - OpenDirectory: Building OD query for name zt11.test ...
Thu Mar 04 15:57:08 [com.jamf.connect.login] - Error - LoginUI: Login timed out. Failing login.

The question is then - is there a way to increase this timeout amount to greater than 90 seconds?

Reply

JRM5513
New Contributor III

Posted on ‎03-19-2021 03:28 AM

Same issue. Did you find a solution eventually?

0 Kudos
Reply

dsperring
New Contributor

Posted on ‎04-01-2021 06:40 AM

Also wondering if you found a solution for this, we are seeing similar behavior as well with very similar setup: Okta, Duo, Jamf Connect 2.x.x

0 Kudos
Reply

graines
New Contributor II

Posted on ‎04-08-2021 10:30 AM

I talked to Jamf support on this and the 90 second timeout is by design. For now, we're working around it by bypassing MFA setup on first login. Our Okta is backed by AD, so we add all new hires to an AD group which is tied to Okta sign on and multifactor policies bypassing MFA. We have an AWS lambda watching for when the user first resets their password, then it removes them from MFA bypass group. Then we walk the user through MFA setup during orientation.

I put in a feature request to extend the timeout:
https://www.jamf.com/jamf-nation/feature-requests/10306/increase-jamf-connect-authentication-timeout-on-first-login

0 Kudos
Reply