SSO configuration

user-VqnLvuezLM
New Contributor

Hi All,

We are in the process of trying to setup the SSO extension in our environment but I'm running into a couple of issues. we use PingID and mobile accounts right now.

  1. I have gone through and setup the Kerberos payload and successfully receive a Kerberos ticket on the test device. Even with this ticket, im directed to the PingId splashscreen to enter my network credentials

  2. on the SSO toggle im asked for "Extension identifier" and "Team identifier" where would i get this info from? ive reached to to PingID but they have not been able to help me.

When configuring the SSO extension should i be configuring the SSO and Kerberos tab or just one or the other?

Thanks

4 REPLIES 4

sdamiano
Contributor

The macOS kerberos SSO extension is only for on premise Active Directory. https://support.apple.com/en-gb/guide/deployment-reference-macos/apdac83c038d/web

geoff_widdowson
Contributor II

I have just got my org setup to use kerberos SSO entension, setup for us by APS (Apple Professonal Services). We did this to move away from local mobile accounts. You have to use standard local accounts with kerberos SSO extension, otherwise you will get issues syncing (wont work at all) when you reset the network password. I would never have been able to set this up without APS, they give you 2 full days of their time for the cost of the service.

Tribruin
Valued Contributor
Valued Contributor

If you are using Ping, you probably want to look at Jamf Connect instead. Jamf Connect works with cloud-based identity providers.

jeho
New Contributor

Has anyone got this to work with Azure AD?

Currently, I have this Kerberos SSO account sync working from an On-Prem AD which only connects/syncs when connected via VPN on Internal Network.

I was thinking would there be a way to have this work on Azure AD (Internet Only connection/no VPN) by spinning up say a LDAPS Read-Only DC via Azure Domain Services? Also, would by doing this expose my RODC server or is there a way I can only have Jamf enrolled machines reach this Azure AD LDAPS RODC on the cloud?

I know Jamf Connect can be a solution but for just this single feature, it is not enough to purchase it for the large number of devices we have. I am already using a Jamf Infrastructure Manager (JIM) server to connect Jamf Cloud to my RODC for enrolment purposes requiring on-prem AD authentication for the account/enrolment purpose.

Something along the lines of this https://support.datajar.co.uk/hc/en-us/articles/360020078053-Requirements-for-connecting-Jamf-Pro-to-Azure-AD-over-LDAPS but for kerberos sso