In our environment I added the LDAP groups directly to Jamf as groups and when a user logs in via SSO (As in redirected to our IDP and then the IDP returns the response back to the SP-Jamf) they are logged in using their active directory username. The groups that this username is a part of are added to Jamf already and permissions are assigned to the groups themselves. Not the users one by one. I'm sorry I had to black out so much but basically these are all LDAP groups(as you see on the right) and after the user utilizes SSO, they are assigned permissions based on their membership to these groups. (Which is defined in active directory, not jamf)
FWIW, that is exactly what we tried to do, and failed. When I opened a support ticket, I was told that SSO would not perform group lookups, and ticket was closed.
Now... the one additional wrinkle that we have is that we're using SSO via smart cards. Maybe that's part of the issue we had. Username/pass logins worked fine, but not when we used our smart cards (CAC/PIV).
I was able to get this working yesterday, following the documentation here: https://www.jamf.com/jamf-nation/articles/436/configuring-single-sign-on-with-active-directory-federation-services
Here's the setup:
At this point, users who are in the JSS Admins group in AD can log in with their AD credentials. They don't need to be added explicitly as a Jamf Pro user.
At this point:
To get SSO group mapping working:
To find the proper value for the above:
Once I had this in place, I could log into the JSS as a user who is not a Jamf user but who is an AD user in the JSS Admins group.
I believe this only works because you're using AD for your SSO provider, so it's passing group information with the SSO login (so Jamf is seeing that group name, looking at the group list it has assigned, then looking up members of that group to match the user logging in). If you use a separate SSO provider (say, Shibboleth) you may not have that group info present. Jamf doesn't appear to be smart enough to grab that user, check users and groups, see that user is missing, then query ldap/AD for the user's group membership, and allow login based on that...