I'm having the exact same issue. I'd love to work on this together to get it solved.

In addition to having only standard users created with sso enabled, I tried to ignore roles and make all users admins but then the Menu Bar disappeared which seems to be a bug of some kind. Also I want to be sure my Azure roles are correct could you share where and how you are setting the admin role in Azure. I think I did it right but would like to confirm.

Have you submitted a ticket to Jamf yet?  If not I'd be happy to.

Cheers 

Keith

My previous settings below:

Display name - Administrator

Allowed member types - users/groups

value - admin

I just changed my app registration settings to the below but I don't think application is right. 

You should grant the role to users/groups, not applications.

I've got a ticket going. Will update this thread as information becomes available.

I changed the name in Azure from Administrator to Admin and change the key value in the profile to

Below are my settings ( I changed role to roles based on a post I saw from traveling tech guy. )

<key>OIDCAdmin</key>
<array>
<string>Admin</string>
</array>
<key>OIDCAdminAttribute</key>
<string>roles</string>

I was able to get roles working via Entra with SSO enabled in our prestage. In the Entra Jamf app I changed the "Assignment required" to yes.

I also renamed my app role to "Admin" in the Jamf App registration area in Entra  and made sure to use that in my .plist for Jamf Connect Login.

<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCAdmin</key>

Did you get any ehlp via the ticket?

Cheers
<array>
<string>Admin</string>
</array>

Glad to hear you got it fundamentally working.

The ticket isn't progressing very much, I'm afraid. Their suggestion was to copy the role configuration to the Jamf Pro SSO enterprise app/app registration (versus the Jamf Connect app). Hasn't worked for me though.

For what it's worth I disabled the SSO custimization in my prestage enrollment and I still was able to grab user & location to popultae the jamf record after the fact. I admit I'm not sure what SSO in prestage gets us. I was able to remove 1 login speeding up the prestage and my roles still work. 

I also did find a typo in my config profiles where "role" was used instead of "roles".  

cheers

Hello, I am having the same issue here when enabling SSO via Pre-Stage customisation.

I assume this is due to the SAML claims from the 'Jamf Connect Login' app not being used due to the user info (and therefore lack of SAML claims) already being previously passed from the 'JAMF SSO' App. These would only be available if there was a second auth via JC, which would mean the use would need to complete 2 full 'SSO' logins during enrolment, which kind of defeats its purpose. 

I had the same initial thought as your support rep, where creating the app roles and adding groups in the JAMF SSO app. However the mobileconfig scoped to devices will be using com.jamf.connect.login as the domain will not be looking at 'JAMF SSO' appID for SAML claims but rather 'JAMF Connect Login' appID.

For now I see the only option as to disable SSO as part of the ADE Customisation as I dont think this is a work flow that will work without another full SSO authentication being completed.

Support has concluded that this is currently by design, and advised to to create a post at Jamf Nation Feature Requests. I have done so here: Improve Jamf Pro & Connect passthrough | Jamf Nation Feature Requests

Please add your votes!