Jamf Connect allows for simple provisioning of local user accounts and password synchronization with a cloud identity provider (IdP) during an Apple provisioning workflow.
To complete these tasks, Jamf Connect uses the OpenID Connect authentication protocol, which can be configured to support various types of authentication methods (grants) that dictate how the following components communicate:
Jamf Connect uses the following OpenID Connect grant types:
The following diagrams show how each authentication grant type is completed:
This grant type is used when Jamf Connect Login is used to either create a new local account on a computer or log in to an existing local account via cloud authentication.
This grant type is used when Jamf Connect Login or Jamf Connect Verify check that a user's network username and password match their local account.
When Jamf Connect Login and Jamf Connect Verify are used together and configured to sync passwords, both grant types are used for authentication. If configured, Jamf Connect Login can create a local account that has the same password as the user's network password. The user is then prompted to log in with Jamf Connect Verify to enable continuous password syncing.
For additional information about enabling OpenID Connect authentication between Jamf Connect and your cloud IdP, see the Integrating with an Identity Provider in the Jamf Connect Administrator's Guide.
For additional information about OpenID Connect, see the following resource from the OpenID Connect foundation: https://openid.net/specs/openid-connect-core-1_0.html