Jamf Integration Kit

Certificate requirements

For PingFederate to get a device’s security posture, each device must provide a device identifier. One way to accomplish this is by configuring SSL certificates on each device.

The Jamf IdP Adapter requires a device identifier attribute (such as deviceId). The adapter uses this attribute to request the device’s security posture from Jamf Pro. If you can make the device identifier attribute available in the PingFederate authentication policy without using certificates, skip this topic and Setting up the X.509 Certificate Integration Kit.

As described in Overview of the SSO flow, the PingFederate X.509 Certificate IdP Adapter reads information from a user certificate provided through the browser.

Based on the specifics of your environment, you must determine a process for generating certificates and making them available on the enrolled devices.

The following describes the information that needs to be included in the certificate.

Device identifier and device type attributes

To use the Jamf Integration Kit, each device must have a certificate that includes a one of the following unique device identifiers:

  • deviceId

  • serialnumber

  • macaddress

  • udid

Optionally, you can also include a device attribute with a value of computers or mobiledevices. This identifies the type of device, and helps the Jamf IdP Adapter determine which Jamf Pro API to query. If the device type is not available, the adapter queries both APIs.

The X.509 Certificate IdP Adapter checks for the device identifier and device type attributes within Subject Alternative Name portion of the certificate. Specifically, the otherName part of subjectAltName.

Example certificate contents

As a source when generating a certificate, you might use a .cnf file similar to the following:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                = Country Name (2 letter code)
stateOrProvinceName        = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
otherName.1=2.16.76.1.3.4;UTF8:deviceId=18
otherName.2=2.16.76.1.3.4;UTF8:device=computers

The last two lines define the device identifier and device type.

Certificate selection

When you finish setting up the Jamf Integration Kit, your users might be prompted to select the appropriate certificate during sign on. For the best user experience, we recommend that you configure automatic certificate selection. The approach you must use depends on your environment, devices, and browsers.