- 19 Aug 2024
- 2 Minutes to read
- Print
- DarkLight
Creating a Federation Partner with Jamf Connect
- Updated on 19 Aug 2024
- 2 Minutes to read
- Print
- DarkLight
Creating a Federation Partner with Jamf Connect
Creating a federation partner for use with Jamf Connect isn’t particularly different than for other uses.
Configuration Steps
- Go to Configuration module > Security > Identity Providers > Federation Partners
- Click Add Federation Partner and Select OpenID Connect and you will be taken to a page to create the OIDC Partner.
- Under the General section provide a name for the OIDC Partner and add the following Callback URLs:
a. The default callback url for Jamf is
https://127.0.0.1/jamfconnect
b. Other URLs can be configured as well if the federation partner is going to be used for other purposes besides just Jamf Connect but are not required. An example would be:
https://<rapididentity hostname>/oidc/callback
If a different callback URL is configured, it must be recorded and set in the Jamf Connect Preferences.
- Under the OpenId Connect Configuration section activate ENABLE RESOURCE OWNER PASSWORD GRANT (ROPG) . You will be required to confirm your decision.
If you are making this federation partner in an LTS on prem or hosted version of Rapid Identity on a version that does not support ROPG then you may need to enable PKCE (these can not be enabled at the same time) per Jamf support. Please defer to your Jamf rep for confirmation on your specific needs for this attribute. If the option to enable ROPG is not available to you in the Federation Partner config in RI than you are likely on a version that does not support ROPG.
Under the Claim Attributes section, add the following Claim Attribute:
- an attribute with:
- name = email
- claim = email
- claim type = string
- attribute value type = LDAP
- ldap attribute = mail
- an attribute with:
Click Save.
It may be necessary to navigate to the the IDP Configuration and trigger a service reload and web reload.
Additional setup will be required within JAMF and you will need to make note of the following values:
a. The Client ID of the created Federation Provider. This can be found on the edit page of the Federation Partner that was created.
b. The Client Secret of the created Federation Provider. This can be found on the edit page of the Federation Partner that was created
c. The discovery URL/Endpoint for OIDC on the RapidIdentity Serverhttps://<rapididentity hostname>/idp/.well-known/openid-configuration
Endpoints for OIDC are as follows:
Endpoint | Path |
---|---|
Token Endpoint | /idp/profile/oidc/token |
UserInfo Endpoint | /idp/profile/oidc/userinfo |
JWKS Endpoint | /idp/profile/oidc/jwks |
Discovery Endpoint | /idp/.well-known/openid-configuration |
For details on how to continue the integration configuration from within Jamf Connect, please check out this document: Integrating with RapidIdentity/Identity Automation