Posted on 09-28-2022 05:32 AM
Hello Jamf Nation
We are using Okta as SSO and LDAP directory. It's working fine for authentication on the prestage pane, but I'm unable to pre-fill a user account during setup assistant. The fields are always empty (and not locked), no matter what kind of authentication I try to use in Prestage Pane (LDAP or SSO).
I've tried with the "Device owner's details" and Custom, using $FULLNAME and $EMAIL as variable, but it's not working either.
When I test the LDAP, all the mappings seems correct.
Is there a place where I could find logs or anything that could help me why the account is not filling ?
Thanks for your help !
Solved! Go to Solution.
Posted on 09-29-2022 06:17 AM
I got an answer from support which explains everything, so here it is, in case it could help someone else :
This issue is related to PI104093 : In environments that integrate with an identity provider (IdP) to enable single sign-on (SSO) during enrollment with Jamf Pro via a PreStage enrollment but do not have an LDAP server set up, Jamf Pro does not pre-fill the Full Name of a user if the PreStage was configured to pre-fill the account information with the device owner's details.
But in my case, it's a little different :
The issue only happens if the user account is explicitly defined in the Jamf Pro server under Users and Groups. If a user has SSO enabled and access is regulated with a GROUP MEMBERSHIP attribute coming in via the SAML token, the inventory record fills in just fine.
I had my SSO username set up explicitely in the Jamf Users & Groups. As soon as I removed that account from the users, the account details filled without problem.
Posted on 09-28-2022 12:29 PM
I just tested this scenario out, using SSO - I have a prestage with the following settings and with default information the SSO customization, I get the Full name and my account name locked in the setup assistant, I just have to put in the password. the only caveat here is that its using my UPN for my account name....yay Azure. It sounds like you may want to reach out to customer success to go over the workflow you have going on to be sure something isn't broken.
Posted on 09-28-2022 12:55 PM
Thanks for testing ! I’m pretty sure it’s a little something I forgot somewhere. A checkbox or a LDAP mappings incorrect. That’s why I’m looking for logs that could show me something like « unknown parameter » or « bad request » or anything useful.
I have opened a case about this to get more insights.
Posted on 09-29-2022 06:17 AM
I got an answer from support which explains everything, so here it is, in case it could help someone else :
This issue is related to PI104093 : In environments that integrate with an identity provider (IdP) to enable single sign-on (SSO) during enrollment with Jamf Pro via a PreStage enrollment but do not have an LDAP server set up, Jamf Pro does not pre-fill the Full Name of a user if the PreStage was configured to pre-fill the account information with the device owner's details.
But in my case, it's a little different :
The issue only happens if the user account is explicitly defined in the Jamf Pro server under Users and Groups. If a user has SSO enabled and access is regulated with a GROUP MEMBERSHIP attribute coming in via the SAML token, the inventory record fills in just fine.
I had my SSO username set up explicitely in the Jamf Users & Groups. As soon as I removed that account from the users, the account details filled without problem.
Posted on 10-04-2022 04:36 PM
Thanks so much for posting this! I have the same setup and was having the same issue. Thanks much!