SSO configuration

The macOS kerberos SSO extension is only for on premise Active Directory. https://support.apple.com/en-gb/guide/deployment-reference-macos/apdac83c038d/web

I have just got my org setup to use kerberos SSO entension, setup for us by APS (Apple Professonal Services). We did this to move away from local mobile accounts. You have to use standard local accounts with kerberos SSO extension, otherwise you will get issues syncing (wont work at all) when you reset the network password. I would never have been able to set this up without APS, they give you 2 full days of their time for the cost of the service.

If you are using Ping, you probably want to look at Jamf Connect instead. Jamf Connect works with cloud-based identity providers.

Has anyone got this to work with Azure AD?

Currently, I have this Kerberos SSO account sync working from an On-Prem AD which only connects/syncs when connected via VPN on Internal Network.

I was thinking would there be a way to have this work on Azure AD (Internet Only connection/no VPN) by spinning up say a LDAPS Read-Only DC via Azure Domain Services? Also, would by doing this expose my RODC server or is there a way I can only have Jamf enrolled machines reach this Azure AD LDAPS RODC on the cloud?

I know Jamf Connect can be a solution but for just this single feature, it is not enough to purchase it for the large number of devices we have. I am already using a Jamf Infrastructure Manager (JIM) server to connect Jamf Cloud to my RODC for enrolment purposes requiring on-prem AD authentication for the account/enrolment purpose.

Something along the lines of this https://support.datajar.co.uk/hc/en-us/articles/360020078053-Requirements-for-connecting-Jamf-Pro-to-Azure-AD-over-LDAPS but for kerberos sso