Help

Onelogin / JAMF Connect MFA

Go to solution
jbresee
New Contributor III

Posted on ‎02-21-2022 06:34 AM

Hey Guys,

I have MFA setup in Onelogin for my Jamf Connect app.  The Onelogin activity log shows an error that MFA is set on the Onelogin side.

 

I opened a case with JAMF support and they say that I need the success codes in my PLIST, but they don't know what those should be. I opened a case with Onelogin, and they said that the OIDC standard doesn't support MFA.

Anybody have this working? My intent is to have MFA presented upon MAC login.

Thanks for your thoughts!

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
FHavermann
New Contributor II

Posted on ‎03-03-2022 07:41 AM

Hey @jbresee , 

This is what I got from Jamf support:

{These failures in OneLogin are expected if MFA is currently enabled in the idP, as Jamf Connect does not prompt for MFA. When Jamf Connect detects the idP failure, it uses an "SuccessCodes" to continue with the operation.

The reason Jamf Connect does not prompt for MFA is because end-users would be prompted every 15 minutes for MFA to ensure the passwords are in sync. By using ROPG, the password check happens silently in the background without any end-user interaction.}

It looks like this is just the way it works and not a bug unfortunately.

View solution in original post

10 REPLIES 10

Go to solution
kendalljjohnson
Contributor II

Posted on ‎02-21-2022 07:58 AM

Check these blog posts out, it's what I followed when setting things up:
https://travellingtechguy.blog/?s=onelogin

Sounds like you're heading in the right direction and what you need to add is the `SuccessCode` to `MFA`.

 

<key>SuccessCodes</key>
<array>
	<string>MFA</string>
</array>

 

0 Kudos

Go to solution
jbresee
New Contributor III
In response to kendalljjohnson

Posted on ‎02-21-2022 04:45 PM

Hey Kendall,

Thanks for the reply. I have that key already in my plist file.

Is it possible the passthrough key is messing me up?

 

0 Kudos

Go to solution
kendalljjohnson
Contributor II

Posted on ‎02-22-2022 08:14 AM

Oh, my apologies. I totally misread your issue.

 

Yes, we are seeing the exact same errors in logs and have been for months. From what I can tell, everything is working so it is just a false alert within OneLogin's event logs. Is MFA not working within Jamf Connect Login? 

0 Kudos

Go to solution
jbresee
New Contributor III
In response to kendalljjohnson

Posted on ‎03-01-2022 08:00 AM

Yeah, MFA request isn't being raised by JAMF connect, but login to the Mac is allowed.

0 Kudos

Go to solution
FHavermann
New Contributor II

Posted on ‎02-28-2022 04:36 PM

@jbresee I had the exact same issue as you and troubleshooted with OneLogin for an hour and we found that in our MFA bypass Security profile there was an option hidden by OneLogin to Skip User Policy MFA.  You will have to talk to OneLogin support and have them enable the "Skip User Policy MFA" button for your JAMF Connect MFA Bypass App Security Policy. Then you can select the button under "Forced Authentication or Skip User Policy MFA". That worked for me. However this is just one way of fixing it. Jamfs way is still broken as it does not bypass MFA using the PLIST. But if you dont care about that and only dont want MFA prompts than this will work for you. I have. ticket in with JAMF about the PLIST not working properly.

0 Kudos

Go to solution
jbresee
New Contributor III
In response to FHavermann

Posted on ‎03-01-2022 08:03 AM

I'm not sure I'm following your suggestion. Right now, Jamf connect will allow the user to log into the mac without asking for the 2nd MFA factor. My goal is to have the user enter the 2nd factor.

It sounds like what you are suggesting would allow them not to use MFA - am I reading that right?

0 Kudos

Go to solution
FHavermann
New Contributor II
In response to jbresee

Posted on ‎03-02-2022 10:24 AM

I see, then it is something jamf needs to fix. This is from my ticket with them about the MFA key not working. Either not being sent correctly or not being recieved correctly by onelogin.

"Thanks for providing the clarification on what is currently happening. At this point I am going have this case escalated. I am not sure based off everything else that we have collected and reviewed where to go to further narrow this issue down. Looking at your previous Jamf Connect configuration they appear to be set up correctly with the MFA Key. I appreciate all your communication and time on these issues. They will be reaching out soon."

Go to solution
FHavermann
New Contributor II

Posted on ‎03-03-2022 07:41 AM

Hey @jbresee , 

This is what I got from Jamf support:

{These failures in OneLogin are expected if MFA is currently enabled in the idP, as Jamf Connect does not prompt for MFA. When Jamf Connect detects the idP failure, it uses an "SuccessCodes" to continue with the operation.

The reason Jamf Connect does not prompt for MFA is because end-users would be prompted every 15 minutes for MFA to ensure the passwords are in sync. By using ROPG, the password check happens silently in the background without any end-user interaction.}

It looks like this is just the way it works and not a bug unfortunately.

Go to solution
jbresee
New Contributor III
In response to FHavermann

Posted on ‎03-04-2022 11:57 AM

Ahhhh... OK. So I can just ignore the errors on the Onelogin side.

It seems like a pretty big miss that JAMF connect doesn't support MFA for Mac login.

0 Kudos

Go to solution
Prabhu
New Contributor

Posted on ‎10-09-2023 08:04 AM

Hello Everyone, 

When we signed into Jamf Connect menubar we're getting MFA error, does anyone have a idea about this error. 

Attached the screenshot for reference. 

Screenshot 2023-10-05 at 6.42.33 PM.png

0 Kudos