Description
Starting in Jamf Connect 3.5, the OIDCNewPassword key now defaults to False. If the key was not defined explicitly previously, end users may now see an error ending in STATUS:400 when trying to log in at the Verify your Okta Password screen.
Possible Errors
The exact error will depend on what version of Jamf Connect is installed on the computer. Two errors identified are:
“Error from request to URL: <url>, ERROR: Unknown error. Message: Resource owner password credentials authentication denied by sign on policy,. STATUS: 400”
“Error from request to URL: <url>, ERROR: Unknown error. Message: The credentials provided were invalid., STATUS: 400
Impacted Environments
Identity Provider: Okta OIDC
Jamf Connect login version: 3.5 or later
OIDCNewPassword: not defined in login settings
Update your Jamf Connect Login Settings
To resolve this issue and allow authentication to succeed at the Verify your Okta Password screen, ensure that the OIDCNewPassword key is set to True in your login settings.
Open your existing login profile in Jamf Pro under Computers > Configuration profiles.
Click Edit.
Follow one of the methods below to update the setting depending on how your profile was created:
If using the Upload payload, paste the lines below into your plist.
<key>OIDCNewPassword</key>
<true/>If using the Jamf Applications payload:
Click Add/Remove properties.
Check the box to Create a Separate Local Password and click Apply.
Use the dropdown to set the key to True.
Click Save.