Help

Does anyone have setup instructions for the new azure portal for SSO

ajbagwell
New Contributor

Posted on ‎05-23-2017 11:06 AM

We are trying to setup our LDAP and SSO through azure is there any setup instructions for the new azure portal (portal.azure.com)
the tech support guy that contacted me had never even heard of azure

0 Kudos
5 REPLIES 5

Taylor_Armstron
Valued Contributor

Posted on ‎05-23-2017 11:46 AM

I don't believe that Azure is officially supported at this point, but any chance of using Federated Services with Azure?

Might want to take a look here:

https://www.jamf.com/jamf-nation/feature-requests/1425/saml-support-for-self-service

https://www.jamf.com/jamf-nation/articles/436/configuring-single-sign-on-with-active-directory-federation-services

0 Kudos

eDooku
New Contributor III

Posted on ‎05-25-2017 08:34 AM

Haven't tried the SAML way, yet. We managed to setup JSS to authenticate to Azure Active Directory through Azure Domain Services, which is only found in the classic Azure portal (https://manage.windowsazure.com). Using that, you can setup a publicly available LDAPS server, which works ALMOST as normal AD LDAP. You do have to reset the user passwords in order to get it to work (as the Domain Services uses a different password hash than Azure AD), but in the end it works very well, and is very fast.

0 Kudos

tjoyce
New Contributor

Posted on ‎06-01-2017 12:20 PM

We got it to work with Azure AD Premium (Premium is required for custom apps). Unfortunately, I didn't document all the steps along the way, because there was a lot of trial and error involved, but essentially, it goes like this:

In Azure
Create the application in Azure and the meat of the settings are in the "Single sign-on" page, where my settings are as follows:
identifier: https://<jamftenant>.jamfcloud.com/saml/metadata
Reply URL: https://<jamftenant>.jamfcloud.com/saml/SSO

Leave User Identifier as user.userprincipalname

Create and activate a new certificate

Download the Metadata XML from the link at the right

In Jamf

Enable SSO for JSS, Self Service and User-Initiated Enrollment
Leave the user mappings as the defaults (NameID, then Username)

Under Identity provider, select "Other", then type "Azure Active Directory" (though I'm not sure that matters)

Under Identity Provider Metadata Source, upload the xml file you downloaded earlier

Generate a certificate...not sure that did anything, but ours has a certificate there and it works.

Because we used userprincipalname as the user identifier, the logins in Jamf must be full upn names, user@domain.com. You can probably play around with different values there to suit your needs.

It doesn't seem to support auto provisioning for user accounts. So, each user must be provisioned in Azure AND have their account created n JAMF. Also, I wish we could leave the password field blank when creating the Jamf account, since it isn't used anyway.

EDIT: I should also point out, that we are a brand new customer, so this just enables users to login to the portal. I haven't tested any other features because frankly, I'm lost in the product right now.

0 Kudos

JS_WWU
New Contributor III

Posted on ‎07-13-2017 12:15 PM

I finally got this going here! Thanks to all who have posted

My (dumb) issue was that the accounts in Jamfcloud did not have "@organization.com" attached to the end. All of our internal systems use plain "account name" but in azure we have to login using account@org.com Appending that to all existing/precreated Jamf user accounts so that they match Azure fixed this for us.

Next piece is how to automate Jamf account creation so that others can also login.

0 Kudos

gachowski
Valued Contributor II

Posted on ‎05-03-2018 01:55 PM

I think there is a new app in Azure.....

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-jamfprosamlconnector-tutorial

C

0 Kudos