Jamf Connect Login "Unable to load Identity Provider"

bmichael
New Contributor III

I have deployed the 2 plist files to the machine and updated the "Auth Server" setting to our Azure url. Deployed Jamf Connect license mobilconfig to the device and installed the Jamf Connect Login software. The login screen says "Unable to load identity Provider" This is for Azure, What am I forgetting to do?

14 REPLIES 14

BLUZEY
New Contributor

I'm having the same issue but with Okta.

XHL
New Contributor

We are using Jamf connect login . We plan to use it for okta. We are facing the same issue even if we set okta authserver preference with our okta instance, and we also created an application in okta for jamf connect, but the issue still exists. Does anyone know how to fix this? c7a4eb2c32ba4e17a271a0045fc9924c

nickvanjaarsvel
New Contributor II

I've reset the authorizationdb using /usr/local/bin/authchanger -reset -Okta, after that the login window changed to this:

a1ac61334f764fdbb2c5c05bdff47538

But now the log states:
2019-02-15 14:13:50.379036+0100 0x21e8 Error 0x0 712 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect:CheckOktaMech] Unable to get Okta Server

I think it has to do with adding a native custom application to Okta, but can't find out the URI's for authorization. Maybe this helps with AzureAD as well..

ansan
New Contributor

I'm in exact the same spot as @nickvanjaarsveld. I am not seeing anything else in the documentation that would point me in the right direction to move forward.

chrisdiaz
New Contributor

I ran into this issue as well, but with Okta. I was trying to figure it out on my own for a couple of weeks. I finally reached out to Jamf support and had them look over the plists I created for both NoMAD Pro and Jamf Connect Login. It took them a few days as well, but they did end up getting me a resolution today. It seems that there was a key missing (that I didn't come across in any of the documentation) that identifies the Okta as the IdP. The key is below and needs to be added to the com.jamf.connect.login.plist you create for Jamf Connect Login.

<key>OIDCProvider</key>
<string>Okta</string>

I had to refresh the login window a few times after the new config profile was push out but it ended up connecting to Okta. The support tech also advised to put "authchanger -reset -Okta" in the Execute Command section (Files and Processes payload) of the app policy. I would presume that the same could be achieved for Azure if you substitute the "Okta" values with "OIDC". Hope this helps!

dvaldez
New Contributor

Have you logged into portal.azure.com and added to app registrations?

578d14841253484e831c210183b8c6c8
d413fc744f774bd0a0d779163855df09

nickvanjaarsvel
New Contributor II

Found this blog as well, which helped me to at least authenticate through Okta. However, while authenticating is working properly now, I'm getting an error that states:
"Unable to create account. Error: One of the parameters provided was invalid."

Blog URL: https://travellingtechguy.eu/how-to-use-nomad-login-okta-with-jamf-pro/#Tutorial

Maybe this helps @andre.sanchez

adickinson
New Contributor

If you're using Azure AD, I'm going through this right now and you don't need to use the two PLIST files that talk about AuthServer. You just need to use the on named com.jamf.connect.login.plist and com.jamf.connect.verify.plist

You'll need to have created the Azure App Registration outlined here:
https://docs.jamf.com/jamf-connect/1.0.0/login/administrator-guide/Integrating_Jamf_Connect_Login_with_Azure.html

You'll use the values from the Azure App registration in those PLIST to set the OIDCClientID and OIDCROPGID

This guide is useful as well:
https://travellingtechguy.eu/jamf-connect-login-with-azure/

masspar
New Contributor II

I found a potential problem that can generate this symptom. Wifi typically does not connect until after you log in and so the Azure login page cannot display until after the user has logged in. I'm unsure if this applies pre-Mojave. It looks like there are some CLI-based ways to resolve this problem however the solution for me was to deploy a wifi profile via my MDM(Intune) which causes wifi to connect pre-login, although it does require the user to refresh once after boot.

masspar
New Contributor II

I found this was caused because wifi was not connecting. I deployed the wireless connection via MDM policy and now I can load it without any issue.

jamesandre
Contributor

I get this every time on first boot. Occurs even when connected via ethernet with WiFi disabled. I hit the Refresh button and it loads straight away.

Kumarasinghe
Valued Contributor

@jamesandre try authchanger -reset -Okta

alex_guarino
New Contributor II

@Kumarasinghe Running this after deploying the pkg and config profiles worked for me.

dswitmer
New Contributor III

If this was caused by lack of wifi, and you had do deploy a wireless policy with MDM, wouldn't that mean that you could only use this on known access points that you had built an MDM policy for?

It seems to me that you'd always need to be connected to the internet, at least, for first connection when the account is set up. Am I missing something about how this is supposed to work?

I don't see how you could build and MDM wireless profile and predict various scenarios where the user would be trying to set this up.

I too am getting the error "Unable to load Identity Provider". I have the app registered in Azure and have built the plist. Did everyone here have to sign the plist? I didn't do that and am wondering if that's my whole problem. I'm waiting for a cert from apple. Is the "Developer ID Installer" cert what I would use to sign a plist?

thanks