Question

LDAP connection- MFA Authentification not working

5 years ago
September 10, 2019
5 replies
0 views

patrick030
Contributor
10 replies

Hi Jamf,
we have setup a LDAPS connection from our OKTA instance to Jamf. The reason for this is to have users to authenticate during first iOS enrollement.
This works fine so far, with one minor blocker. Our Okta SSO uses MFA authentication. When the user has setup okta verify push, he will receive a push notification on his other device and the login will complete successfully.
Unfortunately there is no indication on the iphone that a push notifcation is beeing sent, and also there is no way to enter any one time password.
this means if the user doesn't use Okta verify push, but Google Authenticator (our second MFA option), he won't be able to enter the code and therefore sign in and setup will fail.

Bottom line:
Without using okta verify push, the iphone setup is not possible.
Hope this makes sense to you. do you have any idea on what we can do in this situation? Should this be a feature request?

Best, Patrick

zachary_fisher
Contributor
32 replies
5 years ago
September 10, 2019

If you are using jamfcloud you need to add those IPs as a network zone in okta and exempt that range from MFA. If you are on Prem, you need to use the IP Range of your jamf instance as a network range instead. We do this for our enrollment and works like a charm! Happy to chat more. Feel free to let me know if you need more specific instructions.

patrick030
Author
Contributor
10 replies
5 years ago
September 10, 2019

Hey Zachary,

thx for your quick response.
I will try this and come back to you if we have any problems ;).

Thank you

OJtheD
New Contributor
7 replies
4 years ago
December 18, 2020

"If you are using jamfcloud you need to add those IPs" - which IPs? Where can we find them?

zachary_fisher
Contributor
32 replies
4 years ago
January 10, 2021

Here you go!

https://www.jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud

gregreznik
New Contributor
16 replies
4 years ago
January 11, 2021

Yes you will need to whitelist the jamfcloud IPs, or if you don't want to do this I believe you can instruct your users to use the MFA code in their Okta Verify app (or whatever MFA verify app they use) to type in the <password,MFAtoken> to login. Okta supports that kind of MFA authentication for LDAP.

Source: https://help.okta.com/en/prod/Content/Topics/Directory/LDAP-interface-MFA.htm

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos + marketing

Reply

Most helpful members this week

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings