Jamf Connect Login Timeout with Okta / AD

graines
New Contributor II

Hey all,

For quick context, we use Jamf Connect with Okta as our IdP, backed by AD, and Duo for MFA.

I'm seeing a 90 second timeout during a user's first sign in to a new machine using Jamf Connect. If a user doesn't complete the initial Okta sign in, Duo set up, and Okta password change within 90 seconds, they get kicked back out to the initial Jamf Connect login prompt. Has anyone else come across a similar issue?

I've checked Okta, Duo, and AD (password and kerberos settings) for timeouts, but I can't find any that are relevant here. Wondering if it's a timeout in the JC auth mechanism?

Using JC 2.1.3 but seeing the same with the latest 2.x.x as well.

4 REPLIES 4

graines
New Contributor II

I believe I've found the smoking gun in the Jamf Connect login log:

Thu Mar 04 15:55:38 [com.jamf.connect.login] - Info - OpenDirectory: Building OD query for name zt11.test ...
Thu Mar 04 15:57:08 [com.jamf.connect.login] - Error - LoginUI: Login timed out. Failing login.

The question is then - is there a way to increase this timeout amount to greater than 90 seconds?

JRM5513
New Contributor III

Same issue. Did you find a solution eventually?

dsperring
New Contributor

Also wondering if you found a solution for this, we are seeing similar behavior as well with very similar setup: Okta, Duo, Jamf Connect 2.x.x

graines
New Contributor II

I talked to Jamf support on this and the 90 second timeout is by design. For now, we're working around it by bypassing MFA setup on first login. Our Okta is backed by AD, so we add all new hires to an AD group which is tied to Okta sign on and multifactor policies bypassing MFA. We have an AWS lambda watching for when the user first resets their password, then it removes them from MFA bypass group. Then we walk the user through MFA setup during orientation.

I put in a feature request to extend the timeout:
https://www.jamf.com/jamf-nation/feature-requests/10306/increase-jamf-connect-authentication-timeout-on-first-login