We have Office365 federated with Okta. When I use the Jamf Connect Configuration app with my Azure application everything works fine. I get tokens. However now that I've deployed it using a machine that's not a fresh install I enter my credentials at the Jamf Connect window and I don't get sent to Okta then it says my credentials are incorrect. Is this expected? Will this only work with a freshly wiped machine like in the Jamf connect training?
Edit: It seems Jamf connect is unable to handle federated Azure so I'll likely be switching to Okta.
@syoung17 I didn't get it working with Azure and just decided to use Okta. The only reason I wanted to use Azure was to have a similar login process as Windows devices and to have one system to look through logs. Okta is working but I haven't deployed it yet due to some other encryption management complications.
The Microsoft SSO extension is coming out soon and we have a desire to integrate conditional access with Intune so we might end up switching at some point. I've been testing again with Azure and even with version 2 of Jamf connect I'm still running into the same issue. I noticed when I have the OIDCNewPassword key set to NO that's when I get issues. However without that the password is not the same as their Okta account. I've been working on this with support for a long time now and we still don't have a fix.
When I run the Jamf Connect configuration app using the ROPG test it fails. OIDC is completely fine, it says I have tokens, and I get a bunch of user detail back. In the Logs of the Azure app (Btw I've re-created this app multiple times now according to the official jamf guide and the travelling tech blog) it's using PHS as the authentication method. We don't use password hash sync and have no desire for it. I'm guessing the auth method is the issue since I get a similar error with a device vs the jamf connect config app. When you login it doesn't forward you to Okta like it does with OIDC so either it shouldn't be using ROPG or I'm missing something.
I'm stumped and I don't think there's anything I can do here.
@dnorman I wanted to bump this topic about a year later, as I'm finding myself in the same situation. We've had Okta provisioning Office365 accounts for some time, and now we're moving to Azure AD. I figure it makes the most sense to keep that flow, especially since we use Okta SSO for plenty more apps already, so it kinda makes sense to keep Okta as the "top of the waterfall", if that makes sense...
We have about a 50/50 Mac/PC environment. I've done quite a bit of testing with Windows Autopilot/Intune, and so far I'm finding this situation works pretty well this way. However, I'm finding the same thing that you did to be true for the Mac side of things; OIDC works great, but ROPG simply fails.
I was wondering if you've found any kind of workaround to use Azure as the IdP for Jamf Connect/Login. If not, are you happy simply using Okta for the Macs instead, and what are some pros/cons you've found using Okta vs. Azure for Jamf Connect?
Thank you so much!