SSO Settings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2023 08:11 AM
Hi everyone,
We're looking to harden our Jamf Pro environment and have a few questions before we proceed. Right now we have SSO turned on and pointing towards our IdP and it works fine. However in the Options section of Single Sign-On we have the following:
- Allow users to bypass the Single Sign-On authentication TICKED
I'm looking to turn this off, my question is will our break glass non-directory user account work still at the Failover URL we have generated? - Enable Single Sign-On for Self Service for macOS TICKED
Leave this as-is - Enable Single Sign-On for User Authentication during Enrollment UNTICKED
I'm looking to turn this on - will this redirect users to our IdP login page when they enrol a Zero Touch device? - Enable Single Sign-On for Account-Driven Enrollment UNTICKED
Also looking to turn this on, but it sounds a lot like the option above so my question is what is the difference?
Once we have made the above changes, there's one more thing I'm looking to change if possible - in Enrollment customization we have one configured for our IdP, I'm wondering if we enable the last 2 options in Single Sign-On can we remove this?
Thanks in advance for any responses!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-07-2023 11:20 AM
- Allow users to bypass the Single Sign-On authentication - Disable this, it is a bypass to SSO. You would still need a local account in JAMF to take advantage of this bypass.
- Enable Single Sign-On for Self Service for macOS - This just impacts SS, use as you wish. It's broken in our environment... So, I have it disabled, apparently some known product issue.
- Enable Single Sign-On for User Authentication during Enrollment - a good idea to enable this one to allow users to use IDP credentials to enroll devices.
- Enable Single Sign-On for Account-Driven Enrollment - Really only matters for BYOD, if you use this workflow its a good idea to enable
Your question: Each of these check boxes are for different things and are not related to each other. If you use the function, you want the box checked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-07-2023 12:44 PM
Thanks @AJPinto - some good advice there. I am definitly looking to turn off the bypass option as a priority.
