12 thoughts on “Jamf Connect Login and OneLogin (and Secure Tokens”

  1. It’s currently not possible to use Jamf Connect Login when your instance is located in Europe. You can check this by doing a nslookup ($ nslookup ttg-dev.onelogin.com). When the CNAME records points to “portal-eu.onelogin.com” your instance is in Europe. “sso-glb.onelogin.com” is used for by default (US).

      1. We’ve tested this with in different OneLogin tenants.

        OneLogin Europe shows:
        oops! something went wrong

        error: invalid_client
        error_description: client is invalid
        state: 064F156D-XXXX-XXXX-XXXX-A759C3977883

        The tool (which I shall not mention here) shows a different provider for Europe (OneLoginEurope). Using “OneLoginEurope” as OIDCProvider doesn’t work.

          1. I’ll report it. Must be a little bug or typo in the code I guess 🙂 I have a feeling a typo in the discovery url backed in for EU… just guessing.

          2. Please also mention that OIDCNewPassword isn’t working when it’s set to false. It keeps prompting that the password is incorrect. OIDCClientID and OIDCROPGID are the same. Maybe this is a result of the custom provider.

          3. Not sure, could you check what the logs say when it gives you the incorrect password message? SSH into the machine with another local admin, the Jamf Management acount for instance and run the following command:

            log stream –predicate ‘subsystem == “com.jamf.connect.login”‘ –debug

          4. Apart from checking the logs, you don’t have a Client Secret configured on the OneLogin OIDC app right? If so, remove it (both from the app as from the Jamf Connect config).

  2. Thanks for your help. Client Secret is not configured. Via log stream I was able to capture these lines after entering the password again:

    Info 0x134d2 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] OIDC auth succeeded!
    Info 0x134d2 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:Settings] Found managed preference in com.jamf.connect.login: OIDCNewPassword
    Debug 0x134d2 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] Creating ROPG worker from line: 155
    Debug 0x134d2 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] Calling ROPG worker for checkPass from line: 155
    Error 0x0 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] ROPG Error: MFA is required for this user
    Debug 0x134d2 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] ROPG worker response received from line: 155
    Debug 0x134d2 3313 0 SecurityAgent: (JamfConnectLogin) [com.jamf.connect.login:UI] ROPG worker response: bad password from line: 155

    Jamf Connect Login allows me to use MFA but when reentering the password for local usage it fails because of MFA.

    Have not seen this kind of behaviour with Azure AD or Okta.

Leave a Reply

Your email address will not be published. Required fields are marked *