Jamf Nation Community

A little side-note
Even with a fully working SSO + LDAP setup, you (especially admins) will meet an error message from time to time, claiming that there was an SAML error stopping your login. This is due to some token renewal magic not happening correctly (probably) on the JSS side.

Luckily, there is an easy fix: Go to your Azure or Office portal and log out the session. Afterwards, going to the JSS will prompt a new SSO login, and all is well again. The error message might also be avoided by actually logging out of JSS when finishing up an admin session (but who really does that?).

Hello!
Is it possibile in the same way to configure SSO + the classic Windows Server LDAP?

Yes, it should be entirely possible. If you, for instance, have a setup with synced AD, you may use Azure AD SSO and local Windows AD LDAP. No need for Azure AD Domain Services if the on-premise LDAP server is reachable by the Jamf Pro Server.

Other on-premise solutions are described in the Knowledge base articles, just search for SSO.

Hi erikw, thanks a lot for posting this guide.

We're in a similar situation: we're trying to setup Jamf Pro with our Azure AD. We've setup Azure AD SSO for multiple other integrations (salesforce for instance), but JSS seems to be a different case.

From your article, I understand that in order to have user mappings, the LDAPS integration is required. Is my understanding correctly? I was hoping to provision the users automatically when SAML authentication succeeds.

Also, when a user enrolls his system via self-enrollment, authenticated via SAML, is his device then automatically linked to the user that was found through authentication?

Thanks!

Hello,

As I read it, you understand correctly... 😉

Jamf Pro does do things a little bit differently. It is, I would say, totally dependent on LDAP integration in order to populate user data.

The user is, as I understand it, created automatically in Jamf Pro on first successful SAML authentication, and the user's info is then fetched through LDAP user mappings. In normal SAML setups, the server would, I believe, do separate SAML calls after authentication to fetch the user info from the SSO provider, but Jamf Pro only uses LDAP for this. At this time, at least. The upside is that the LDAP search is much faster than the more cumbersome SAML/SOAP dialog, the downside is that you have to pay additional fees for the LDAPS service in Azure AD.

When a user enrolls his system via self-enrollment (or DEP) and authenticated with SAML, the user will be automatically created in Jamf Pro (if it doesn't exist), the user data populated from LDAP, and the device will be linked to that user. Also, if you enroll a device using a privileged Jamf Pro account (admin user), you are able to choose which user to bind to, but again, that user search is done through LDAP...

I hope this helps clarify a bit.

Hi Guys,

We are looking into doing SSO for our jamf pro instance here but I am just wondering what the expected behaviour is for users when opening Self Service?

We currently have AD integration working polling our on premise AD Controller but we are in a hybrid Azure AD environment.

Cheers

For our setup, I'm sorry, I don't know. We have chosen not to use SSO or login for Self Service, and that suits our purposes. When our enrolled devices starts Self Service, it just pops up.

For the virtual network being used by the Azure Active Directory Domain Service, did you configure NSG to minimize the IPs that can communicate to it? If so did you use these?
https://www.jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud

I did, in fact, configure NSG to minimise the IPs. And I used the list you link to. Since our organisation is being served from the EU, I opened for the IPs from the EU Frankfurt list, as seen in the image.

I think there is a new app in Azure.....

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-jamfprosamlconnector-tutorial

C

@eirikw Pointed out something pretty important. Ran into this error after completing the setup:

The resolution was to follow his advice:
"Go to your Azure or Office portal and log out the session. Afterwards, going to the JSS will prompt a new SSO login, and all is well again."

Thanks all for this useful thread. Has anyone who is using SSO login to Self Service found an equivalent to logging out of the Azure or Office portal? That solution works great for the admin interface with a typical browser, but I now have a "Single Sign-On Error" in Self Service as a result of choosing 'stay logged in'. Oops!

Is there going to be a proper fix for the SSO logon issue? It is ok for admins to logout of Office 365 when they get this error but it is not something I want users to see as their first experience with Jamf. I've only just got Jamf Pro setup in the last week and so now want to send all my users a self enrolment email but this error is going to cause me problems. We use Azure SSO for over 22 different online services and I've not had this issue anywhere else. Thanks Phil

I haven’t test SSO with Self Service, but I have it for enrollments and console logins and I have never seen this issue.

@nateburt You may try investigating the contents of "~/Library/Caches/com.jamfsoftware.selfservice.mac". It seems the only location Self Service stores any files. It would be the location for any SSO login cookies.

Hi,

I've followed your advise step by step but I am getting a Username or Password error when testing the connection to our Azure ADDS LDAPS.

We've tried both a DN and user@domain, the user account has global admin so it's not a permissions issue.

Can you suggest anything else to try?

First: The only way to authenticate with AADDS LDAPS is with 'user@domain' and password. It will not work otherwise.

Also, the password mechanism in AADDS is different from Azure AD, so there might be delays and unexpected password expiries that does not reflect in Azure AD. The account login may work in the Office Portal, but not with LDAPS.

If I understand you correctly, you are using a global admin account as the LDAP User Account in the Jamf Pro LDAP setup? It would work, but you shouldn't need to. Instead, create a separate account without Office licenses or any other permissions than 'Login allowed', for instance 'jamf@yourdomain'. Create the account, set a safe password and wait for about 15 minutes for the AADDS to catch up. It should work.

Otherwise, if you insist on using the global admin, you'll probably need to reset the user's password in Azure AD. If you login to O365 Admin Portal as a different global admin, you are able to reset the user's password to the same it had before. Wait 15 minutes to allow it to sync with AADDS, and then proceed to testing the LDAP service in Jamf.

If it still does not work, it might be that Azure AD cannot sync to AADDS. Check for error messages in AADS 'health'.

Also, check that the AADDS service does not report any errors with it's 'health'. If it can't synchronize with Azure AD, there will be problems.

Thanks for the response, we had to change our user mappings slightly

We added top and user to the object classes and the username field mapping to userPrincipleName

On a different note, how do we test logging into a mac with an Office365 account? Is there some bindings that we need to fill out in Active Directory Bindings under global settings or a config we need to push out?

Good.

As far as I know, there's no way of binding macOS to O365 (alias Azure AD). I mean, with DEP enrollment, you may end up with a username and password identical to that in O365, but no AD binding. Azure AD is still not a fully functional AD.

I want to know what are the other attributes that jam f pro using for the azure Ldap other than the SAM Acoount name i want to know what other attributes are being accepted by the jam f pro.

what other attributes jam f pro uses for the mapping from the azure ldap apart from sam account name

I have SSO configured with Azure AD

I've found that I can import users from LDAP and then they can log in on SSO through Azure. We have a hybrid Azure AD Connect system in place. This has made it easier to not worry about manually provisioning accounts. One thing I do wish we could do would be to import an LDAP group and have all of those users be imported, but I have yet to find a way to do that

@hdsreid

I am only 50% sure but I don't think the Jamf Pro can do that... I would like for it to read and use Ldap groups for access so we could just use our ldap groups for Access control.

C

@gachowski

What is the purpose of importing groups in the Accounts and Groups section?

@hdsreid

If the jamf server understood those group, I could just add the "support team group" from our AD groups and them match that to a jamf pro group access for the support team, as an example. Then all our sub orgs could manager their own access and our Jamf admin team would not have to add and remover users as the join and leave the our organization.

C

@gachowski

sorry i think my post was a bit too rhetorical. i want to add them for the same reason, however i can't figure out how to get it working. basically what i am asking is, it doesn't seem to allow for access control via ldap groups, so why does the ldap groups option even exist? what can it actually do if not access control?

@majaazbaig If you look at the user mappings in the original post, you'll see that we do not use SAMAccountName at all in the mapping, only other attributes. As Username in Jamf Pro, for instance, we use the mail attribute, as User ID we use uSNCreated. Or did I misunderstand something?

@hdsreid There is a possibility to use LDAP groups in the Policy scope, under Limitations, and I think that works, as opposed to the access group setup.

@eirikw - what is the benefit to LDAP+SSO vs LDAP only? I work for a very small organization and, for reasons I will not go into here, we have a full JamfCloud instances vs JamfNow even though our footprint is quite small.

At this time I do not anticipate enforcing login for self-service and the primary interest in connecting to AzureAD is for the purpose of assigning machines to employees for asset management. The immediate detractor I can see to LDAP only is self-service enrollment.

In regard to Groups & SSO

Hi All,

Just an "FYI" Group Membership claims do work with Azure and Jamf Pro, Azure just passes the Group Object ID instead of the plaintext name. In order to utilize groups you need to get the Object ID of your group, then create a standard group in Jamf Pro using the Object ID as the name of your standard group.

I.e. Azure Group = Jamf Pro Admins has an Object ID of 1001. Create a standard group in Jamf Pro with a name of 1001

Jamf will match the user being asserted via SAML as belonging to that standard group, so long as the SAML assertion contains the Group's Object ID (which it should if you followed this article and edited the app manifest and the user is actually a member of the group).

You can find a groups object ID Under the Group overview section in azure.

Hi All,

We have a step-by-step guide on configuring Azure AD (Azure AD Managed Domain Services) in Jamf Pro as an LDAP source, as well as using Azure AD for Single-Sign On.

Take a look at it here - https://hcsonline.com/support/white-papers/a-guide-to-integrate-azure-active-directory-with-jamf-pro

You are a life saver, I'm currently looking into this and thought of looking it up here and voila!!!

Hi All,

What about this?
https://marketplace.jamf.com/details/azure-active-directory/

seems like simple setup, but having issues getting it to work.

@nicholasmcdonald Nicholas,

I don't suppose you'd be so kind as to elaborate on your post where by being in an Azure AD group should get you access when configured with SSO.... I'm trying to configure a new instance, and do not want the complexity of LDAPS on Azure if I can help it (we are a small Jamf installation, so I don't need all that user info in Jamf, I already have it in Azure AD).

I keep hitting a wall with the app, saying that I don't have access, though I im in the group of which the objectGuid matches the name of the standard group within Jamf. I can see in my SAML response when testing that the group is indeed present (amongst a long list of other groups of which I'm a member). Any pointers would be very welcome!

Currently as we sit, our previous network engineer decided to make a read only domain controller and connected it to our dmz. It's only current role is configured for our pre-stage enrollment where we require authentication and so our ldap settings in Jamf are set to point to the read only domain controller for authentication only.

We want to remove that read only and have the users authenticate against Azure, will the guide above accomplish this? We're not so concerned at the moment about making sure we have SSO or the ability for O365 users to be able to log into Jamf Pro.

Thanks

@slocke The simple answer is Yes. You just wouldn't be doing the SSO part until you are ready.

@slocke this is also a very good guide. Azure as LDAP

Jamf really should implement provisioning to follow best security practices.