Hey everyone!
I'm reaching out for guidance on a complex issue I've encountered with integrating Jamf Pro and Microsoft Entra ID for SSO, specifically regarding user attribute mappings and device enrollment processes. Despite a successful setup of Single Sign-On and Cloud Identity Providers for new macOS device enrollments with corporate credentials, I've hit a stumbling block with more detailed configurations.
Core Issues:
User Attribute Mappings: My goal is to map the User Name attribute to the onPremisesSamAccountName (essentially, the UPN without @domain.com) for a more intuitive username representation. Additionally, I aim to map Phone attributes to mobilePhone and Position to jobTitle, enhancing user profile completeness within our system.
Device Enrollment Customization: During the Setup Assistant phase of Automatic Device Enrollment (via ABM), I intend to pre-fill the primary account information with the device owner's details. However, the system defaults to using the UPN/email for the "Account Name" field, rather than the desired username. This deviation from our goal hampers user experience (especially since macOS doesn't like the @ in the username).
Attempts and Roadblocks:
- I've explored various community suggestions and official documentation, including a detailed thread on here: (Azure AD SSO and New Device Setup) and guidance intended for Jamf Connect SSO setups (SAML Token Attribute Mapping for Enrollment Customization), hoping for overlapping solutions.
- Modifying "User Mapping From The SAML Assertion" in Jamf Pro settings to anything aside from "userPrincipalName" seems unfeasible, as changes refuse to save even when the corresponding claim exists in the Entra ID Enterprise app.
- Attempts to adjust the NameID in the Enterprise App to use the SAM username instead of UPN disrupted SSO functionality, contradicting Microsoft's documentation suggesting such customization is supported.
Given these challenges, I'm seeking insights or success stories from anyone who's navigated similar configurations. Jamf support has yet to offer a resolution, leaving me to wonder:
- Is it feasible to utilize anything other than the UPN for the username in this setup, without leveraging Jamf Connect?
- Are there alternative strategies to import other user attributes into Jamf Pro, akin to what's achievable with LDAP?
I'm eager to hear your thoughts, experiences, links or any other recommendations you may have!
Some screenshots:
Error when I try to change the User Mapping
The User mapping settings I want to change from the default info I get from Entra ID
What I'm getting, including the UPN for Username
1 ACCEPTED SOLUTION
I've just done this exact thing for a customer. There is a trick with getting the User Mapping From The SAML Assertion to stick under Cloud identity providers. You need to edit and change it to your desired value then deselect Transitive groups for SSO. Save, then Edit again and select Transitive groups for SSO and Save again - Strange behaviour, but then it sticks.
Here's the full process to change the username mapping from userPrincipalName to onPremisesSamAccountName:
Make sure that you can access the Failover URL first as this briefly breaks SSO!
Entra ID Changes:
1. Sign in to the Microsoft Entra admin center as a Cloud Application Administrator or Global Administrator.
2. Browse to Microsoft Entra ID > Enterprise applications > All applications.
3. Search for an select the Jamf Pro application.
4. Select Single sign-on in the left-hand menu, and then select Edit in the Attributes & Claims section.
5. Select Unique User Identifier (Name ID)
6. In the Source attribute field, select the dropdown box and change user.userprincipalname to user.onpremisessamaccountname and then Save.
Jamf Pro Changes:
1. Access your Jamf Pro console via Failover URL, as the above change will affect SSO login.
2. Go to Settings > System > Cloud Identity Providers > {NAME}
3. Edit and change User Mapping From The SAML Assertion from userPrincipalName to onPremisesSamAccountName.
4. Deselect Transitive groups for SSO, then save. - There appears to be a bug that won’t let you modify without first removing it.
5. Edit again and reselect Transitive groups for SSO and Save.
6. On the Mapping tab, change User Name field from userPrincipalName to onPremisesSamAccountName. You can also modify any other mapping field here if you wish.
7. Go into the PreStage enrolment profile > Account Settings and change Information Type from Device owner’s details to Custom Details and enter the following variables:
Making these changes will then map users by the SAM account name as the username in Jamf Pro and will also automatically populate as the local device account name during the setup. Jamf Administrators can continue to login to the console with their full UPN as normal. Hopefully this is helpful.
Hi @TheAngryYeti
Thank you for the link, it helped me quite a lot but I still have issues with SSO.
I have set the claims as following:
I have the settings as following in Jamf Pro:
Single sign-on:
Identity Provider User Mapping
NameID
Jamf Pro User Mapping
Username
Cloud identity providers:
User Mapping From The SAML Assertion
userPrincipalName
(I still can't change this to either onpremisessamaccountname or onPremisesSamAccountName as mentioned in the guide, I'm not sure this is what breaks the SSO?)
Mappings > User Attribute Mappings > User Name
onPremisesSamAccountName
---
If I use the test function on the Cloud identity providers page, I can now search the user with the onPremisesSamAccountName as username and I also get the position and phone number.
I can also add admins, as they should up correctly with the username and not UPN
However I can't use the SSO now. In the Enterprise app's Sign-in logs my attempts have a Success status, but I'm getting this error when trying to login:
Any ideas?
I've just done this exact thing for a customer. There is a trick with getting the User Mapping From The SAML Assertion to stick under Cloud identity providers. You need to edit and change it to your desired value then deselect Transitive groups for SSO. Save, then Edit again and select Transitive groups for SSO and Save again - Strange behaviour, but then it sticks.
Here's the full process to change the username mapping from userPrincipalName to onPremisesSamAccountName:
Make sure that you can access the Failover URL first as this briefly breaks SSO!
Entra ID Changes:
1. Sign in to the Microsoft Entra admin center as a Cloud Application Administrator or Global Administrator.
2. Browse to Microsoft Entra ID > Enterprise applications > All applications.
3. Search for an select the Jamf Pro application.
4. Select Single sign-on in the left-hand menu, and then select Edit in the Attributes & Claims section.
5. Select Unique User Identifier (Name ID)
6. In the Source attribute field, select the dropdown box and change user.userprincipalname to user.onpremisessamaccountname and then Save.
Jamf Pro Changes:
1. Access your Jamf Pro console via Failover URL, as the above change will affect SSO login.
2. Go to Settings > System > Cloud Identity Providers > {NAME}
3. Edit and change User Mapping From The SAML Assertion from userPrincipalName to onPremisesSamAccountName.
4. Deselect Transitive groups for SSO, then save. - There appears to be a bug that won’t let you modify without first removing it.
5. Edit again and reselect Transitive groups for SSO and Save.
6. On the Mapping tab, change User Name field from userPrincipalName to onPremisesSamAccountName. You can also modify any other mapping field here if you wish.
7. Go into the PreStage enrolment profile > Account Settings and change Information Type from Device owner’s details to Custom Details and enter the following variables:
Making these changes will then map users by the SAM account name as the username in Jamf Pro and will also automatically populate as the local device account name during the setup. Jamf Administrators can continue to login to the console with their full UPN as normal. Hopefully this is helpful.
Pls check on Jamf Connect setting, if anything similar and update to onPremisesSamAccountName
Got there eventually!
This is very useful info, thanks for posting. I'm just leaving a comment here in case anyone has come across this error when trying to make any changes to the Jamf Pro Entra configuration? We're a bit stuck with user and group lookups both not working...
