JAMF Connect - Relying Party Configuration using OIDC- RSA Ready Implementation Guide
9 months ago

This section describes how to integrate RSA ID plus with Jamf Connect using OIDC.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as Relying Party to Jamf Connect.

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Select the Authentication Clients > Relying Parties menu item at the top of the page.

  1. Click the Add a Relying Party button on the My Relying Parties page.

  1. From the Relying Party Catalog select the Add button for Generic OIDC.

  1. On the Add OIDC Basic Information page, type a name and description for the relying party, and then click Next Step.

  1. On the Authentication page, select SecurID manages all authentication.
  2. From 2.0 Access Policy for Authentication pulldown select a policy that was previously configured, then select Next Step.

  1. In the Connection Profile section,  provide the following information where required.
    1. Authorization server URL will be auto populated. This URL will be used on the JAMF Connect configuration.
    2. Enter Redirect URL as https://127.0.0.1/jamfconnect.
    3. Provide a client ID.
    4. Select Client Authentication Method as CLIENT_SECRET_POST.
    5. Enter a client secret manually or click the "Generate" button to create one automatically.
    6. Provide the scope as openid (scopes should be added beforehand).
  1. Click Save and Finish when done.
  2. Click Publish Changes and wait for the operation to be completed.

Configure Jamf Connect 

Prerequisites

  1. Before you begin this guide, you need to have the latest version of Jamf Connect which is 2.45 at the time this guide was written.
  2. Obtain your licensed version of Jamf Connect.
  3. Create a code signing certificate using Jamf Pro’s CA. We will use a code signing certificate to sign the Jamf Connect configuration profile that we create later in this guide.
    1. Open Keychain Access located in /Applications/Utilities.

    1. Select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.

    1. Configure the following:
      • User Email Address: Enter your email address
      • Common Name: Enter your company name. This guide will use PE-RSAReady
      • CA Email Address: Leave this blank.
      • Request is: Saved to Disk.
      • Click Continue.

    1. Configure the following:
      • Save as: CSR.txt
      • Where: Desktop
      • Click Save
    1. Click Done to complete the process, then navigate to your desktop and open the CSR.txt file using any text editor. Once opened, copy the entire contents of the CSR file.
    2. Log in to your Jamf Pro server.

    1. From the left panel, go to Settings > Global > PKI Certificates, then select the Management Certificate Template and click Create Certificate from CSR.

    1. Configure the following:
      • Paste in the CSR text that you previously copied.
      • Certificate Type: Web Server Certificate
      • Click Create.

    1. Select Allow at the message that will be displayed to you.

Note: After downloading the file your web browser may need to be refreshed to properly display things in Jamf Pro.

    1. The certificate will be downloaded to your Downloads folder. Move it to your desktop, then double-click the file to open it.
    2. Select login from the Keychain dropdown menu, and then click Add.

    1. In the Keychain Access section, select the login keychain, then locate and double-click your certificate on the right. In the window that opens, expand the Trust section to view its settings.
  2.  
    1. Click the menu when using this certificate and select Always Trust and then close the window. 

    1. When prompted, enter your administrator credentials, then click Update Settings. The certificate will now appear as trusted. You can then close Keychain Access.

Procedure

  1. Open the Jamf Connect Configuration App located in the Applications folder.

  1. Follow these steps:
    • Click the Add (+) button in the bottom left corner and name the configuration as desired. In this example, it is named RSA Ready.
    • Click the Identity Provider tab.
    • Identity Provider: Custom
    • OIDC Client ID: Paste the client ID that was set up in the RSA Cloud Authentication Service configuration.
    • OpenID connect scopes: Enter the scopes defined in the RSA Cloud Authentication Service configuration. In this case, use openid as the scope.
    • Client secret: Paste the client secret that was set up in the RSA Cloud Authentication Service configuration.
    • Tenant: Paste the Authorization Server Issuer URL that was set up in the RSA Cloud Authentication Service configuration.
    • OIDC Redirect URI: https://127.0.0.1/jamfconnect
    • Discovery URL: This URL follows the format https://<Authorization Server Issuer URL>/.well-known/openid-configuration

    • From the top right corner, click the Test button. Select OIDC from the menu.

  1. Enter the User ID and password for one of the accounts in RSA, then click Submit.
  2. If all went well, you will be greeted with the message below. Close this window to return to the Jamf Connect Configuration app.

  1. Select the Login tab, then configure the following:
    • Initial Password: Select the check box next to Create a separate local password.
    • Keychain: Make sure this is enabled.

  1. Click the Save button at the top.

  1. Configure the following:
    • Application: Confirm Jamf Connect Login is selected
    • File Format: Confirm configuration Profile .mobileconfig is selected
    • Organization: Enter your organization name.
    • Payload Name: Jamf Connect Login
    • Signing Identity: Select the signing certificate created earlier in the prerequisite section.
    • Click Save.

  1. A prompt will appear requesting administrative credentials to sign the configuration profile. Enter the credentials and click Allow. This prompt will appear a second time—enter the credentials again and click Allow.
  2. Enter the following:
    • Save As: Jamf Connect Login
    • Where: Desktop
    • Click Save

  1. Click OK at the message that will appear.
  2. Double-click the Jamf Connect Login.mobileconfig profile file saved on the Desktop to begin installation.

  1. Click System Settings located in the Apple icon menu.

  1. In System Settings, search for Profiles and click the result.

  1. The Jamf Connect profile will appear as pending installation. Double-click it, then click Install in the pop-up window that appears.
  2. Enter your administrative credentials then click OK. The Jamf Connect Login configuration profile is now installed.

User Experience

  1. Log out of the Mac computer after configuring Jamf Connect. If the setup was successful, the Jamf Connect Login window will appear.

  1. Enter the User ID and password for one of the accounts in RSA, then click Submit.
  2. Verify your password again and then click Log in.

The configuration is complete. 

Related Articles

Trending Articles

Don't see what you're looking for?