Help

SSO with simpleSAMLphp

ChrisSVCarter
New Contributor II

Posted on ‎01-06-2017 03:51 AM

Has anybody tried to get SSO to work with the JSS with a simpleSAMLphp IDP?

We're using the latter here and we've got it working with individual LDAP users that are in the JSS but it doesn't work with users who are members of LDAP groups but direct users themselves. That's a bit frustrating as we want to use it for User-Initiated Enrolment which only works with group membership.

Using SAML tracers it looks like our group attribute mappings are working OK when looking at the instructions provided by JAMF but it's still not working. I've got a case open with JAMF Support who I think are also scratching their heads, so thought I'd see if anyone else has tried this?

Cheers,

Chris

Labels:
0 Kudos
2 REPLIES 2

gachowski
Valued Contributor II

Posted on ‎02-15-2017 02:32 PM

@ChrisSVCarter

Did you ever get this figured out? We are seeing the same issue. We are using Duo as our SSO

C

0 Kudos

ChrisSVCarter
New Contributor II

Posted on ‎02-17-2017 01:20 AM

We did, the issue was the strange way in which the JSS handles authentication then using SSO compared to when you're not using SSO. With SSO enabled, it authenticates the users against the JSS so if the JSS does not know of the user or they do not have enrolment privileges, it will give Access Denied. We therefore had to add an LDAP group containing all of our users with basic enrolment rights to the JSS (this isn't necessary without SSO). This is in addition to giving them access via the User Initiated Enrolment settings.

Chris

0 Kudos