Help

LDAP connection- MFA Authentification not working

patrick030
New Contributor III

Posted on ‎09-10-2019 05:09 AM

Hi Jamf,
we have setup a LDAPS connection from our OKTA instance to Jamf. The reason for this is to have users to authenticate during first iOS enrollement.
This works fine so far, with one minor blocker. Our Okta SSO uses MFA authentication. When the user has setup okta verify push, he will receive a push notification on his other device and the login will complete successfully.
Unfortunately there is no indication on the iphone that a push notifcation is beeing sent, and also there is no way to enter any one time password.
this means if the user doesn't use Okta verify push, but Google Authenticator (our second MFA option), he won't be able to enter the code and therefore sign in and setup will fail.

Bottom line:
Without using okta verify push, the iphone setup is not possible.
Hope this makes sense to you. do you have any idea on what we can do in this situation? Should this be a feature request?

Best, Patrick

Labels:
0 Kudos
Reply
5 REPLIES 5

zachary_fisher
New Contributor III

Posted on ‎09-10-2019 05:24 AM

If you are using jamfcloud you need to add those IPs as a network zone in okta and exempt that range from MFA. If you are on Prem, you need to use the IP Range of your jamf instance as a network range instead. We do this for our enrollment and works like a charm! Happy to chat more. Feel free to let me know if you need more specific instructions.

Reply

patrick030
New Contributor III

Posted on ‎09-10-2019 05:28 AM

Hey Zachary,

thx for your quick response.
I will try this and come back to you if we have any problems ;).

Thank you

0 Kudos
Reply

OJtheD
New Contributor II

Posted on ‎12-18-2020 02:57 PM

"If you are using jamfcloud you need to add those IPs" - which IPs? Where can we find them?

0 Kudos
Reply

zachary_fisher
New Contributor III

Posted on ‎01-10-2021 08:53 AM

Here you go!

https://www.jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud

Reply

gregreznik
New Contributor III

Posted on ‎01-10-2021 07:12 PM

Yes you will need to whitelist the jamfcloud IPs, or if you don't want to do this I believe you can instruct your users to use the MFA code in their Okta Verify app (or whatever MFA verify app they use) to type in the <password,MFAtoken> to login. Okta supports that kind of MFA authentication for LDAP.

Source: https://help.okta.com/en/prod/Content/Topics/Directory/LDAP-interface-MFA.htm

Reply