Skip to main content

ADFS Federation and Jamf Connect Authentication errors

Updated over 2 weeks ago

Description

Jamf Connect login and menu bar leverage a Resource Owner Password Grant (ROPG) validation to ensure the local password for the computer matches that of the user's network identity. This can cause password validation failures when leveraging Jamf Connect with an Azure environment configured to federate authentication to Active Directory Federation Services (ADFS) since these user credentials are actually stored within an on-premises Active Directory domain controller, rather than in Azure Active Directory.

  • Jamf Connect login: returns 'Invalid Password' when OIDCNewPassword preference set to false.

  • Jamf Connect menu bar: authentication fails with AADSTS50126 error (Invalid username or password).

Note - In this article, Jamf Connect menu bar refers to settings configured with the com.jamf.connect preference domain. It applies to Jamf Connect menu bar versions 2.x, but these same errors may occur if using Self Service+ menu bar and/or Self Service+ Account management dashboard.

ROPG Communication and Setups with ADFS

Option 1: Password Hash Synchronization

Begin conversation of migrating Azure environment away from ADFS federation, in favor of Password Hash Synchronization. Aside from better compatibility with Jamf Connect, Password Hash Synchronization has the added benefit of reduced server infrastructure maintenance (i.e. no ADFS web servers to maintain). More information on the options here can be found at Microsoft's Knowledge Base.

Option 2: Configure configuration profiles with keys for hybrid setup

  • For Jamf Connect Login:

    • Set the OIDCNewPassword setting to true to disable the ROPG validation at the login window. While this could potentially allow an end user to set a local Mac password that does not match the users network password, we can leverage Menubar to remedy this.

  • For Jamf Connect menu bar configuration:

    • Configure menu bar to point to an OpenID Connect application configured directly within ADFS. This will allow ROPG validation directly against the ADFS server.

      • Note: this workflow with MenuBar may not be feasible for Entra ID environments which federate to multiple ADFS domains.

More Resources


Did this answer your question?