Jamf Connect Login window loop after successful 2FA

Aaron143
New Contributor

Cannot arrive at the desktop. After entering okta credentials and selecting MFA type (push), once I approve the notification, the Mac goes black full screen momentarily, then returns to the login prompt. Okta mobile app prompts that authentication was successful, however no local account creation or login.

15 REPLIES 15

jlombardo
Contributor

I am also running into a similar loop, slightly different.

I have Connect Login setup and it is asking for my Azure credentials. I type them in, get the screen asking if I want to stay signed in to reduce logins, Select Yes (or no), the screen goes black for a minute and then goes back to the first screen asking for the username.

It is showing a successful sign on in Azure Jamf Connect app, then showing "interrupted" a few seconds later. All the settings look correct from the documentation I have read.

Anyone else have this issue before? We do have MFA, but I have disabled it for testing on this account.

ZachWC
New Contributor

Did either of you ever get this resolved?

tjmcginn
New Contributor

I would also like to hear a response, as I am experiencing this same problem now. 6 months after the last post on this thread.

Swesymphony
New Contributor II

Has anyone figured this out yet?

Edno_Alivecor
New Contributor II

When logging in make sure that the proper browser is selected and that the browser plugin is installed and active.

NickKoval
Contributor
Contributor

I've witnessed this looping behavior occur if the IdP is waiting for the Jamf Connect Login client to provide the key

<key>OIDCClientSecret</key>

as part of the authentication process. While the error log may specifically call out "body must contain the following parameter: ‘client_assertion’ or ‘client_secret’", the log may also return error code 401 despite Azure logging the authentication as successful.

yad_devgan
New Contributor III

I'm experiencing this issue in Jamf Connect 2.0. FV2 was ON and individual recovery keys were escrowed to JAMF.

3picGary
New Contributor II

Having the same issue on Jamf Connect 2.0. Using the same settings in a new configuration profile as with Jamf Connect 1.xx (where it is still working fine), but it keeps redirecting me back to the login page. I did notice you can login with a local account, while that actually should not work as it is not enabled in the configuration profile, aside from the fact that I'm authenticating to my IdP. Setting your client secret should not be necessary if you've set that option to "Use PKCE" within your IdP, so that shouldn't be the cause..

Update: I got it fixed. Had to set the “Require Network Authentication” key to “True” in my JCL's config profile and now it's not in a loop anymore.

bsullivancadent
New Contributor

I am also experiencing this issue trying to authenticate via Okta. I get the prompt for MFA and after completing it, the screen refreshes back to the JCL screen.

Having the same issue on Jamf Connect 2.0. Using the same settings in a new configuration profile as with Jamf Connect 1.xx (where it is still working fine), but it keeps redirecting me back to the login page. I did notice you can login with a local account, while that actually should not work as it is not enabled in the configuration profile, aside from the fact that I'm authenticating to my IdP. Setting your client secret should not be necessary if you've set that option to "Use PKCE" within your IdP, so that shouldn't be the cause.. Update: I got it fixed. Had to set the “Require Network Authentication” key to “True” in my JCL's config profile and now it's not in a loop anymore.

I have tried setting DenyLocal to true but the issue persists.

snoble
New Contributor

I am also experiencing this issue. Tried DenyLocal to true also but the issue persists here also. Tried using Use PKCE and setting a client secret and neither seems to change the behavior. Using Okta as the iDP.

clee_-_payfone
New Contributor

I am late to the party. Think the issue is related to having AuthServer & OIDCAuthServer filled out. What I did with the Jamf Connect Config, is just leaving OIDCAuthServer blank and only fill out the Auth Server. If you're using a .plist is just have only AuthServer & get rid of <key>OIDCAuthServer</key>

jbygden
New Contributor III

I'm seeing this with 2.1.1 and Okta, but I don't have the OIDCAuthServer key set, and still get this...

3picGary
New Contributor II

This is my .plist, which it's working fine with 2.1.1, so maybe check if you're missing one key or try and use the same setup?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> <dict> <key>AuthServer</key> <string>xxx.okta-emea.com</string> <key>BackgroundImage</key> <string>/usr/local/images/xxx.jpg</string> <key>CreateAdminUser</key> <true/> <key>DenyLocal</key> <true/> <key>EnableFDE</key> <true/> <key>HelpURLLogo</key> <string/> <key>LocalFallback</key> <false/> <key>LoginLogo</key> <string>/usr/local/images/xxx.png</string> <key>LoginScreen</key> <true/> <key>OIDCClientID</key> <string>xxxxxxxxxxxx</string> <key>OIDCDefaultLocal</key> <false/> <key>OIDCIgnoreAdmin</key> <true/> <key>OIDCProvider</key> <string>Okta</string> <key>OIDCRedirectURI</key> <string>xxxxxx</string> </dict>
</plist>

Mack-OODA
New Contributor II

Update - I ran into this issue and worked with Support. Oddly enough, removing any entries not being used in the Config Profile resolved this issue for us with JamfConnect Login and JamfConnect. I would suggest edit the config profile, erase and re-enroll your test device to fully test.

Thanks for this, resolved my issue.