For PingFederate to get a device's security posture, each device must provide a device identifier. One way to accomplish this is by configuring SSL certificates on each device.
The Jamf IdP Adapter requires a device identifier attribute (such as
deviceId
). The adapter uses this attribute to request the
device's security posture from Jamf Pro. If you can make the
device identifier attribute available in the PingFederate authentication policy
without using certificates, skip this topic and Setting up the X.509 Certificate Integration Kit.
As described in Overview of the SSO flow, the PingFederate X.509 Certificate IdP Adapter reads information from a user certificate provided through the browser.
Based on the specifics of your environment, you must determine a process for generating certificates and making them available on the enrolled devices.
The following describes the information that needs to be included in the certificate.
Device identifier and device type attributes
deviceId
serialnumber
macaddress
udid
Optionally, you can also include a device
attribute with a value of
computers
or mobiledevices
. This identifies
the type of device, and helps the Jamf IdP Adapter determine which
Jamf Pro API to query. If the device type is not
available, the adapter queries both APIs.
The X.509 Certificate IdP Adapter checks for the device identifier and device type attributes
within Subject Alternative Name portion of the certificate. Specifically, the
otherName
part of subjectAltName
.
Example certificate contents
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
otherName.1=2.16.76.1.3.4;UTF8:deviceId=18
otherName.2=2.16.76.1.3.4;UTF8:device=computers
The
last two lines define the device identifier and device type.Certificate selection
When you finish setting up the Jamf Integration Kit, your users might be prompted to select the appropriate certificate during sign on. For the best user experience, we recommend that you configure automatic certificate selection. The approach you must use depends on your environment, devices, and browsers.