Help

LDAP, SSO, and AD Groups

Taylor_Armstron
Valued Contributor

Posted on ‎11-08-2018 07:49 AM

Close to opening a support ticket, but thought I'd check to make sure this actually works for anyone before I do.

We've just recently setup SSO, which works well, provided I've pre-created the account under Settings->System Settings->Jamf Pro User Accounts & Groups. All seems to work as expected, rights work, etc. Accounts are hosted in our internal AD, I'm using "Add LDAP Account", all behaves the way I'd expect.

What I'm going for next, is trying to add AD Groups instead, and let departments manage who has access to the Jamf console without me being a bottle neck, manually setting up the users.

I've added an LDAP group with no issues, assigned permissions, assigned members in AD, but when any of those users attempt to log in, they get an error:

Access Denied. Contact your administrator to request access to the Jamf Pro server

Should this work? Without having to add each user manually?

0 Kudos
3 REPLIES 3

Taylor_Armstron
Valued Contributor

Posted on ‎11-08-2018 07:53 AM

FWIW, all test lookups under System-Settings->LDAP Servers-<our domain> appear to work.

I can lookup my test user I created, I can lookup the group, and I can successfully show that the user is IN the group, but still get access denied logging in.

0 Kudos

mwolf423
New Contributor II

Posted on ‎11-08-2018 07:58 AM

I actually just dealt with a similar issue. If you have SSO enabled, and the user accounts have AD credentials tied to their SSO account, you can try using https://your.jss.com:8443/?failover

That will work if the SSO account has access, but you do not want to log in to your SSO page.

If you want just standard LDAP/JamfPro users to log in, be sure to check off the "Allow bypass for all users" setting to be checked. Otherwise you will only be allowed to sign in via SSO credentials.

0 Kudos

Taylor_Armstron
Valued Contributor

Posted on ‎11-08-2018 08:11 AM

Thanks - familiar with the failover url, that's where I'm currently testing and getting the error. I guess including SSO in the description was a bit misleading, since after getting our first few actual users showing errors, I've fallen back to a test AD account logging in with standard user/pass on the failover page. FWIW, failover url works fine with my own account when I test, but not with the test account (which is in the AD group which I've added).

What I'm ultimately after is the ability to create a "Jamf-Admin" AD group for each department, restrict the permissions to site/role levels, but then have each department manage the users by simply adding/removing them to the AD group. That's more or less the admin model we have for most other services, so just trying to not re-invent the wheel.

0 Kudos