Help

Azure AD and Seemless Single Sign On

Hobbs155
Contributor

Posted on ‎04-22-2021 06:10 PM

We are trying to fine tune our SSO experience on our macOS devices.
Our JAMF Connect application is working fine but we are unable to get SSO working for Safari/Chrome/Edge etc.

We have found the following article:
https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

We have installed the Microsoft company portal app on our test device and deployed a Single-Sign On Configuration Profile to the test device and configured it as per Microsoft documentation in the above link.

We are not sure if the required custom configuration is applying correctly as the documentation states we need to add the following key pairs for it to work.

Key: browser_sso_interaction_enabled
Type: Integer
Value: 1 or 0

and

Key: browser_sso_disable_mfa
Type: Integer
Value: 1 or 0

We have done a test on mac which is Intune enrolled only and have used Intune to deploy the Single Sign On config profile and it works a treat.
Opening Safari and going to office.com automatically shows the user signed in and we can simply click on it to log on.

On our JAMF enrolled device we still get prompted for a username and password.

We are using pure Azure AD and not using kerberos.

Any advice or information would be greatly appreciated.

0 Kudos
Reply
16 REPLIES 16

TheWarmAtlantic
New Contributor III

Posted on ‎04-23-2021 06:38 AM

We have this setup and the piece I think you're missing is you'll need to setup Conditional Access and register the device with Intune through the Jamf integration.

0 Kudos
Reply

nelsoni
Contributor III

Posted on ‎04-23-2021 06:48 AM

The Mac does not need to be enrolled into Intune for the SSO extension to work, you just have to have the company portal installed and the profile properly configured and deployed to the Mac.

0 Kudos
Reply

Hobbs155
Contributor

Posted on ‎04-26-2021 05:19 PM

We were hoping not to have to configure the Conditional Access in JAMF, from what we understand the company portal simply needs to be installed on the device for the extension.

@nelsoni have you managed to get it to work without the Conditional Access? If so please could I pick your knowledge on how you have managed to get it to work, spent hours of research and testing and still been unable to get it to work.

I have attached images of my config profile setup

5d0f88a548b2419587efeff529edb84a

6b65e78000b04f648df8dc9259a78ca3

0 Kudos
Reply

nelsoni
Contributor III

Posted on ‎04-27-2021 06:02 AM

hobbs155, I do have the Azure SSO profile working without using conditional access. All I am doing is deploying my profile alongside the Intune company portal and that seems to be doing the job. Your profile appears to match mine.

0 Kudos
Reply

Hobbs155
Contributor

Posted on ‎04-27-2021 05:35 PM

@nelsoni thank you for you replies, I have deleted my SSO Extension profile in JAMF and re-created it again just incase there was something wrong with it. I'm still not getting it right :-(

I'm testing on Big Sur, Jamf Connect installed and appears to be working, have deployed the SSO Extension profile and then manually installed the Company Portal app, have not touched the Company Portal app after installing it.

Only profiles are the jamf connect and sso extension profile and then the microsoft auto update config, otherwise we are testing vanilla.
Was there anything in Azure that you needed to do?

I must be missing something. Please can you let me know the steps you have followed to get it working.

This is what i see when trying to log in to office.com via safari.

0b17579d637e4e80b9f6e5a7c9be3255

0 Kudos
Reply

nelsoni
Contributor III

Posted on ‎04-28-2021 06:15 AM

That screenshot looks good, you have to login at least once and that popup window is the company portal doing the brokerage between safari and Azure, once you login the company portal should pass the token to each other app that needs to authenticate.

0 Kudos
Reply

Hobbs155
Contributor

Posted on ‎04-29-2021 12:48 AM

@nelsoni on our Intune enrolled test device it just shows the user account which you have logged into the mac with, you can click on it and it will sign you straight in. We didn't need to type in an e-mail address.

0 Kudos
Reply

nelsoni
Contributor III

Posted on ‎04-29-2021 07:10 AM

From my testing and seeing deployments done by Apple themselves, there has to be at least one login performed, not sure how you got it to carry over from just an initial login from the Macs login window.

0 Kudos
Reply

Hobbs155
Contributor

Posted on ‎04-30-2021 01:04 AM

If we manage to figure it out I will let you know. Thank you for all your input is has been valuable.

Reply

ali_fadavinia
New Contributor III

Posted on ‎05-11-2021 02:56 PM

@Hobbs155 Hi there,

Any updates from your side? could you figure it out?

0 Kudos
Reply

Hobbs155
Contributor

Posted on ‎05-13-2021 12:35 AM

@ali.fadavinia no we havent made much more progress on this just yet but also have not had much time to spend on it at the moment. I had contacted JAMF support and they have seen the same results as us.

Reply

jameson
Contributor II

Posted on ‎08-11-2021 04:52 AM

Any news on this ? -

 

0 Kudos
Reply

R_C
Contributor

Posted on ‎10-02-2021 08:26 PM

I've been testing this config and was able to have Zscaler take the credentials from an Intune enrolled test device. (Leveraging the JAMF\Conditional Access Intune enrollement).

Although Safari just shows a blank screen when getting to a login page that should take AzureAD creds. 

Chrome and Outlook dont appear to be affected by the SSO config as they just show the usual AzureAD login prompts.

 

Anyone else make any progress with this config?

 

Im doing the same as in the screenshots except I am using the following for my plist.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppAllowList</key>
		<string>com.zscaler.Zscaler, com.apple.Safari, com.microsoft.Outlook, com.google.Chrome, com.mozilla.firefox</string>
	<key>AppPrefixAllowList</key>
		<string>com.microsoft.</string>
	<key>Browser_SSO_Interaction_Enabled</key>
		<integer>1</integer>
	<key>Disable_Explicit_App_Prompt</key>
		<integer>1</integer>
</dict>
</plist>
0 Kudos
Reply

Captainamerica
Contributor II

Posted on ‎02-04-2022 03:55 AM

Anyone got this SSO working. Trying to get it working with chrome, but it always prompt for username password even loggin into microsoft site

0 Kudos
Reply

tc_pmg
New Contributor II

Posted on ‎03-04-2022 09:46 AM

I'm also having problems getting the SSO to work after following the directions listed here. https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin.

 

From Hobbs155's screen shot, there is a Custom Configuration using the com.microsoft.CompanyPortalMac.plist. Can anybody here who has this working share their plist and advise where the file should be stored (Jamf Pro and/or end-user machine)?

 

Thank you in advanced!

0 Kudos
Reply

Captainamerica
Contributor II

Posted on ‎05-09-2022 09:52 PM

According to MS chrome is not supported with SSO

https://macadmins.slack.com/archives/CSLNS5GEN/p1648655068079999?thread_ts=1648060604.329059&cid=CSL...

0 Kudos
Reply