![]() On our JAMF enrolled device we still get prompted for a username and password. Opening Safari and going to automatically shows the user signed in and we can simply click on it to log on. We have done a test on mac which is Intune enrolled only and have used Intune to deploy the Single Sign On config profile and it works a treat. We are not sure if the required custom configuration is applying correctly as the documentation states we need to add the following key pairs for it to work. We have installed the Microsoft company portal app on our test device and deployed a Single-Sign On Configuration Profile to the test device and configured it as per Microsoft documentation in the above link. Our JAMF Connect application is working fine but we are unable to get SSO working for Safari/Chrome/Edge etc. We can go to our Jamf Pro webpage and authenticate now via SSO without the need to import every single user into Jamf Pro.We are trying to fine tune our SSO experience on our macOS devices. We’re now ready to test the login to Jamf Pro using GSuite as SSO and we will grant access based on it’s group membership. In Jamf Pro > Jamf Pro User Accounts & Groups > New ![]() In my example, as I have a Cloud LDAP I’ll go there and test a lookup from Jamf Pro to G Suite for the “IT-administrators” groupĪs I didn’t have this group yet imported in Jamf Pro I’ll now go ahead and add it but if you already have LDAP groups in Jamf Pro this step can be skipped Next, let’s double-check Jamf Pro can lookup that group Let’s go to Jamf Pro > Settings > System Settings > Single Sign-On and populate the IDENTITY PROVIDER GROUP ATTRIBUTE NAME with the following: IT-administrators Ok, we’re almost done now and we just need to configure Jamf Pro to “read” the values we’re passing in the SAML message accordingly to our new setup. In there we will add the G Suite group that we want to be passed in the SAML message, in my example the LDAP group I want to grant access to Jamf Pro based on is called “IT-administrators” Once clicked on the User Information we can scroll down to the bottom and there we should see the custom attribute we created before, called Jamf custom attribute Let’s go to > Users > “my_test_user” > User information This is what will make G Suite send this custom Attribute in the SAML message Now we’re ready to tie up our user and it’s group memberhsip to the custom attribute we created. Let’s not forget to SAVE after we’re done here!Ī couple of screenshots as example of what could look like this setup We could map for example to the Department field If we selected “Employee Details” as a category we’ll have here some options. Select user field: if we used the Category of the custom attribute we created we should have here our custom name. Select a category: we can both select the same category as the one we assigned the custom attribute or choose a different category (like Employee Details for example) I’ll change this and will call my Attribute “IT-jamf-admins” We can either provide this or customize it. The important part here is that whatever we provide here will need to be matched exactly in Jamf Pro into the IDENTITY PROVIDER GROUP ATTRIBUTE NAME in the SSO configuration (we’ll review this later).īy default Jamf Pro uses an URL like the below In the “ Enter the application attribute” field we can pretty much insert anything we’d like. ![]() Here we can click on Attribute Mapping > ADD NEW MAPPING ![]() ![]() Then click on the SAML app we created and in Name: Enter the label you want to display on the user’s account page – in the example we used Then we head to Users > More > Manage Custom AttributesĪnd in there we Select > ADD CUSTOM ATTRIBUTEĬategory: the category in which you would like the custom extension attribute to be listed (in the below example we created a new one) Let’s start logging in to GSuite account with an Admin user: Jamf Pro offers a pretty seamless SSO integration with G Suite but when it comes to granting access based on Groups instead of single User accounts there’s a few gotchas that need to be taken into consideration and we’ll look into those in this article.īy default, G Suite is NOT passing user groups membership attributes into the SAML message this means that no attributes pertaining to the user group’s membership is sent over.Īs a prerequisite before we move forward let’s make sure in Jam Pro we have already configured SSO with G Suite as SAML 2.0 Identity Provider as per this KB: Configuring Single Sign-On with G Suite ![]()
0 Comments
Leave a Reply. |