I am gone away with other test, with macOS Ventura too. SSO now seems works better, but it require again authentication to the first App.

Now using Jamf Connect Login with only 1 authentication the user can:
1. Enroll the Mac (ADE) with Azure credential
2. Create local account
3. Login the user
4. Connect Jamf Connect (menu Bar)
So, the Enrollment is complete, with 1 authentication requesy only

The problem starts with configuration:
1. Company Portal Registration requests another authetication plus authorization for JamfAAD access to key "MS Workplace Join Key"
2. Than, the first App opened requeste again authentication

I'm looking for a streamline process for enrollment and configuration in one shot authentication. Any idea?

Hello.  
Are you using the new SSO Apple are baking into Venture for a streamlined login experience or the SSO Profile you can configure for Applications like Safari, MS apps - teams, outlook etc?

Hi there, I have configured the SSOE with redirection to MS servers to authenticate through Azure and so far, it works pretty well with Safari and local MS apps. However, when SSOE is enabled, I am unable to log into my JamfCloud instance through Safari, always notifying me that SSO has Expired. Any thoughts ? I already cleared all Safari cookies and privacy stuff but same issue.

I get the same here @Karl941 , did you ever get anywhere with this?

Still not unfortunately. Anyone in this group maybe ?

Did you get this to work? I have same issue you were having. Though it works in Safari.

MSSSOEXTCustom.plist

Oops, sorry that is what I use for the "extra" stuff - this is the PList:
com.microsoft.CompanyPortalMac.ssoextension

See https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro

com.microsoft.CompanyPortalMac.ssoextension

Good morning,
Has anyone here continued testing and using the Microsoft Enterprise SSO Plugin? For my part, I followed this Microsoft procedure:
https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune?tabs=prereq-jamf-pro%2Ccreate-profile-jamf-
By installing the Company Portal app through Jamf, then installing the following configuration profile

It works on macOS 13.2.1, I haven't noticed any bugs yet. Do you know if it is possible to extend it on Firefox or Chrome today?

Hi @leobrt 

If you're using AzureAD as IDP to authenticate into your JamfCloud instance, how's SSO work with your configuration and Safari please?  

Hi @Karl941 ,
We don't currently use it, despite having incorporated it into my configuration profile. Following the Jamf and Microsoft documentation you did not succeed?

I managed to get it working. I believe this was due to groups in the LDAP group membership. It saw I was in one group, that does not have access, but a "later" group does, it ignores that and takes the first group membership.
We fixed it by removing the catch all group we had that was used for enrollment. Since then it works fine. Alternatively name your main jamf admin group AAAAA_Group_Name so it is seen first ;)

Nope the SSO will work for 8 hours and then it will always fail to SSO because of the token expiration, SSO does not renew it (Jamf SSO error message). I cleared everything from Safari but it did not fix it. I was thus curious to know about how it behaved to other members of the Jamf community?

Any chance to find a way to make Chrome, and Edge working?

Hey JAMF experts,

The attached plist is working SSO for us in Safari, but it's not working for Chrome, Edge. Any solution or someone could find a workaround?

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>

Hey Gabe,
With above Plist, is SSO working with your Chrome, and Edge browser? No password prompts?

Hey All

Following this thread is confusing as posts are not in order by date but we will see who reads this and has some information.

Every so often I spend time with the SSO profile then move onto other things.  It mostly works on my test computers except for FF and Chrome (I knew about years ago when Apple mentioned it me during a Pro D session). 

Anyway....private browsing...is there a setting to NOT have the SSO settings replicate to a private browser session?  My boss said SSO for general stuff is great, but what about Private Browsing?  Can we add a <key> to prevent SSO in private browsers (test other accounts etc)?

Cheers

Ash

Currently you don't with FF, Brave and Chrome.

It doesnt look like chrome or Firefox have built any support in for the microsoft sso.  However we did find a good extension in chrome to keep them logged in called "Windows Accounts".  

Hello @GabePPS 
The reviews for the plug in are very mixed.  How is the extension working for your environment?  We have an Azure environment with Chrome being our 'default' browser followed by Edge. 

I have a shared iPad setup, and when the SSO plugin is enabled, the Teams app won't sign in at all. It gives the following error: Something went wrong. The device is not set-up properly. When the SSO policy is turned off, I can sign in normally. Any ideas? I've tried to exclude the Teams bundle ID, but nothing seems to work.

Currently I have the following keys:

AppPrefixAllowList: com.microsoft.,com.apple.
disable_explicit_app_prompt
browser_sso_interaction_enabled
disable_explicit_app_prompt_and_autologin
Enable_SSO_On_All_ManagedApps
browser_sso_disable_mfa

The requirement for the iPads is also having the Microsoft Authenticator app installed.More info here. https://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

Im actually exploring switching away from this and seeing if i can implement the apple soo instead.

Yeah, Authenticator is deployed. SSO in the safari browser works just fine. For the Teams app i have to manually enter the username, it doesn't matter what username I enter, clicking next always generates the same error.