Jamf Connect Login with Okta Migrate local users lose admin

JamieL
New Contributor II

Hi All,

I'm trying to setup Jamf Connect Login with Okta however having some difficulty getting migrated users to retain their local Admin permissions. I have setup 2 separate Apps/connectors with 2 different Client IDs however when both OIDCAccessClientID and OIDCAdminClientID as specified the login window just refreshes to empty boxes after entering login details (no error etc)

If I only specify OIDCAdminClientID it will log in but with a standard user.
If I only specify OIDCAccessClientID it will not log in just the screen refresh like when both are specified

I have tried various combinations of setup but have included what I believe should work but doesn't (company specific data removed)
For anyone that has set this up can you indicate your configuration please.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>AllowNetworkSelection</key>

<true/>

<key>AuthServer</key>

<string>company.okta.com</string>

<key>BackgroundImage</key>

<string>/usr/local/jamfconnect/jamfconnectbackground.png</string>

<key>CreateVerifyPasswords</key>

<true/>

<key>DenyLocal</key>

<true/>

<key>LocalFallback</key>

<true/>

<key>LoginLogo</key>

<string>/usr/local/jamfconnect/rectangle.png</string>

<key>LoginScreen</key>

<true/>

<key>Migrate</key>

<true/>

<key>MigrateUsersHide</key>

<array>

<string>admin</string>

</array>

<key>OIDCAdminClientID</key>

<string>xxxxxxxxxxxxxxxxxxxxxx2</string>

<key>OIDCAccessClientID</key>

<string>xxxxxxxxxxxxxxxxxxxxxx1</string>

<key>OIDCAuthServer</key>

<string>company.okta.com</string>

<key>OIDCProvider</key>

<string>Okta</string>

<key>OIDCRedirectURI</key>

<string>https://127.0.0.1/jamfconnect</string>

</dict>

</plist>

9 REPLIES 9

DBrowning
Valued Contributor II

@JamieL Are you making sure the user you are testing with is given access to both apps?

JamieL
New Contributor II

Yeah, same users in both App assignment

DBrowning
Valued Contributor II

your RedirectURI the same for both apps as well?

JamieL
New Contributor II

Yeah, same RedirectURI in both.

DBrowning
Valued Contributor II

@JamieL Found it!! This needs to be OIDCAccessClientID not OIDCClientID
dbe8fde344134d03aaed074114c21ee8

JamieL
New Contributor II

Thanks for looking Dennis. That was actual a typo from me when posting the thread as I had been trying various options to try and get it to work. I have correct it now in the original post.

julienvs
New Contributor III

Hi @JamieL ,

Did you find the issue? I'm struggling with the same problem.

 

Julien

JamieL
New Contributor II

Hey Julien,

This did start working for me but it wasn't until I re-installed the OS on the machines I was testing with, so in my case possibly just to much change on my test machines. 

This is what my working setup looks like. 
JC Okta setup.png

julienvs
New Contributor III

Thanks @JamieL !

Yes ... I discovered that too, especially with VM's.