Help

Azure IdP, SSO and local account names

sakul
New Contributor III

Posted on ‎08-19-2021 02:41 AM

Hi,

I managed to setup Jamf Pro Cloud with Azure AD SSO & Cloud IdP, automated enrolment with user authentication and pre-filling of primary account information during setup assistant. The whole seems to work as advertised. Unfortunately Jamf pre-fills the account name with the user's email address (userPrincipalName), which seems odd to me. I'd rather have the account name set to the user's sAMAccountName (onPremiseSamAccountName in Azure),  like all our windows users and current macOS mobile account users. I can extract the sAMAccountName from the SSO SAML assertion, but Jamf can't use it to lookup the user in Azure as that attributed isn't indexed in Azure.

So I have some questions....

Email as local account name (and name of home folder) seems odd, but are there any real down sides to it?

What other (searchable) Azure AD attribute would you recommend using as the account name?

The onPremiseSamAccountName attribute can actually be read from Azure when you search the user by userPrincipalName. Can Jamf be made to use it as the username?

Thanks

3 REPLIES 3

mcrispin
Contributor II

Posted on ‎08-22-2021 02:19 PM

This kinda feels like why Jamf Connect exists.

0 Kudos

jttavares
New Contributor III

Posted on ‎09-24-2021 07:17 AM

I also setup Jamf Pro Cloud with Azure AD SSO & Cloud IdP but not using DEP.  I can't use DEP in my environment.  So I guess without using DEP, I have no way of getting the User and Location fields to auto populate from Azure?  Also we have a large turn around of staff so hardware constantly gets reassigned to new users and we are not re-enrolling these machines into Jamf.  I need this info to auto-update from an asset tracking-inventory perspective with the new owner of the Macs user and location info in azure.   I can't seem to find an answer on getting these fields to populate on their own.  Any help would be appreciated. tx

 

0 Kudos

Gwynn
New Contributor

Posted on ‎03-02-2022 12:49 AM

@sakul I'm having the the same issue, did you manage to resolve it?

I've currently worked around it by mapping one of the Cloud IDP mappings to onPremiseSamAccountName, at the moment I'm using 'position', I suppose you can use any spare fields.

I then used the custom details option in the pre-stage account settings then pre-fill with $USERNAME and $POSITION

I'm still testing so not sure of potential issues and side effects down the road.