Let’s speak about Azure AD attributes and organization claims. This for Unmarried Signal on, in addition to scoping in keeping with the Azure AD integration (Cloud Identification Supplier).
Let’s get started with Unmarried Signal on, which we configure as in line with: https://medical doctors.microsoft.com/en-gb/azure/active-directory/saas-apps/jamfprosamlconnector-tutorial
The very first thing I’d love to kick this publish off with, taking a look at that article, is outline the gang declare in JPRO. The thing mentions the declare to make use of is:
That’s completely superb, however by way of default the gang declare might not be outlined within the Azure App for JPRO (or a brand new app you create):
If that’s the case, you want so as to add the gang declare first:
Vital here’s the Supply Characteristic you choose for the Workforce Declare. By means of default it’s set to Workforce ID. Alternatively, leaving it like this ends up in a SAML message which incorporates the lengthy ID strings of the gang, as an alternative of the human readable organization title:
For those who do depart it like this, it is very important use the similar syntax for the teams you upload to JPRO (See underneath for which capability including a bunch to JPRO is wanted):
I’d suggest to modify the Supply Characteristic to sAMAccountName, which ends up in passing the true organization names within the SAML message:
Upon getting the gang declare added to the SAML config in Azure, you’ll be able to upload it to the SSO settings in JPRO:
As you’ll be able to see the you want to outline the precise and entire declare, which is by way of default within the syntax of a URL: http://schemas.microsoft.com/ws/2008/06/identification/claims/teams
Now, as you could have spotted in certainly one of my earlier screenshots, I had a declare within the listing named ‘One thing’. Only a unmarried phrase, and now not just like the URL for the gang declare above. This is completely imaginable so long as you outline it like that during each Azure and JPRO, however for now I’ll simply stay issues a little bit default and depart the gang declare as is.
With SSO configured in JPRO, we will leverage SSO for three issues:
- JPRO webapp (GUI) get admission to
- Self Carrier
Let’s get started with enrolment and Self Carrier. For this NO account is wanted in JPRO Settings -> JPRO Customers and Teams. The one factor which is wanted is to allow the ones options within the Unmarried Signal-On Choices for Jamf Professional (SSO settings):
For each enrolment as get admission to to Self Carrier, the top customers wish to be assigned to the JPRO app in Azure:
With out assigning the top customers you’ll finally end up with error AADSTS5010.
AADSTS50105: Your administrator has configured the applying Jamf Professional ('65e3187b-REDACTED-0de9249814f5') to dam customers until they're particularly granted ('assigned') get admission to to the applying. The signed in person '[email protected]' is blocked as a result of they don't seem to be a right away member of a bunch with get admission to, nor had get admission to at once assigned by way of an administrator.
For enrolment you’ll be able to additional prohibit get admission to in JPRO by way of deciding on Any identification supplier person or specify Most effective this organization.
For Self Carrier, any person assigned to the JPRO app in Azure will get get admission to to log in.
Now, for JPRO GUI get admission to, we want extra. We wish to upload both a bunch or a person to the JPRO Settings -> JPRO Customers and Teams and outline the extent of get admission to and privileges!
You’ll be able to both upload the person at once or as a result of we added the gang declare within the SAML token, upload a bunch the customers which require GUI get admission to are member of. If you select for a bunch, be sure you upload the teams find it irresistible is handed within the SAML token, readable title or ID… see what I mentioned right here above.
A normal person/organization is sufficient, however for those who even have an LDAP or Cloud Identification Supplier integration enabled in JPRO, you’ll be able to outline it as LDAP person/organization. The common sense JPRO makes use of for LDAP or Cloud iDP is mainly the similar, then again, when defining person/organization as ‘LDAP’ an extra search for to both the LDAP server or the iDP will probably be achieved all through authentication. In case you are the usage of legacy LDAP as an alternative of Cloud iDP, this might not be most popular in view of restricting the volume of LDAP calls JPRO does. I’d recommend going with same old accounts in JPRO Customers and Teams, or even higher, a regular organization so you don’t want to outline password for the accounts in JPRO (password in JPRO which aren’t going to be checked anyway by means of SSO).
Now, similar to the gang declare, which you’ll be able to outline as Workforce ID, sAMAccountName, … the username in Azure can be mapped to various things. By means of default the Title ID, or Distinctive Consumer Identifier, is mapped to person.userprincipalname:
Title ID or Distinctive Consumer Identifier is what’s, by way of default, used to spot the person in a SAML message until you exchange the mapping in JPRO to a customized characteristic:
If you wish to determine person account by way of any other characteristic, you both outline the Customized Characteristic (as to be had within the Azure Claims you configured, so both URL syntax or a shorter declare title as mentioned above), otherwise you trade the mapping for Title ID / Distinctive Consumer Identifier in Azure.
As an example, use One thing as characteristic like underneath,…
or trade the Title ID like I modified it to onpremisessamaccountname right here:
Irrespective of what way you select, when including customers in JPRO => Settings => Jamf Professional Customers and Teams, you want to be sure you create them with a username matching the worth of the characteristic you select for the Identification Supplier Consumer Mapping, in addition to atmosphere the JPRO aspect mapping accordingly to both Username or E mail. The whole thing wishes to check up.
Now, let’s pass a little bit additional than simply SSO by means of Azure AD, and upload the Cloud Identification Supplier integration to the combo, as there are some things to mention in regards to the mapping, in addition to the gang claims.
Up to now JPRO most effective had the likelihood to combine with LDAP. Alternatively since a couple of variations we will now additionally combine at once with Cloud Identification Suppliers like Google and Azure AD.
Focussing on Azure AD right here, the mixing is relatively immediately ahead: https://medical doctors.jamf.com/jamf-pro/documentation/Azure_AD_Integration.html
The default mappings can also be discovered within the article above, however topic on your surroundings and/or wishes it’s possible you’ll wish to trade them. Except for the Consumer Title, which I modified to onpremisessamaccountname, you will have to by way of default finally end up with the underneath ‘default’ setup:
Now, the rationale I modified the username mapping to onpremisessamaccountname, was once to permit me to outline customers in JPRO Settings => JPRO Customers and Teams in a brief and simple manner like ‘Yoda’ as an alternative of ‘[email protected]’ for example. Or identical for scoping and software assignments to customers for that subject. Only a desire or subject of what you want or wish to use on your surroundings.
Something I’d like to focus on here’s the confusion I see now and again in regards to the syntax of the characteristic we wish to outline. As an example person.onpremisessamaccountname, onpremisessamaccountname or a URL syntax like http://schemas.xmlsoap.org/ws/2005/05/identification/claims/title.
Neatly, necessary here’s to grasp the adaptation between the settings for SSO in JPRO, as opposed to the ones for Cloud Identification Supplier. Within the SSO settings the claims wish to be outlined such as you outlined them in Azure within the SSO settings of the JPRO app. Matching both the URL syntax or the quick title as outlined.
For JPRO Cloud iDP settings then again, any characteristic which has been made to be had on your Azure tenant can be utilized, and the syntax is usually the section after the “person.” while you examine it to the SSO claims supply characteristic. As an example the default onpremisessamaccountname or a customized characteristic like sAMAccountName which I provisioned from my on-prem AD for different checking out (as an alternative of the usage of the default onpremisessamaccountname):
To verify the configuration works as anticipated, believe the next:
The values for the Consumer Identity mapping should strengthen the
$filter outparameter in Azure AD.
The price for the Workforce Identity mapping defaults to “identity” and can’t be modified.
The very last thing I’d like to speak about listed here are the ‘Transitive’ choices to be had at the Cloud iDP settings.
The primary one I wish to spotlight is the only for club lookups. Purely impacting the LDAP-style lookups:
In case your Azure AD holds nested person teams, it’s necessary to allow this with a purpose to make certain that all teams a person is a member of, at once or not directly, are returned within the search for reaction.
IMPORTANT: JPRO these days limits the max collection of teams to 150 ! Alternatively, there's a customized knob which can also be enabled within the JPRO database to extend that restrict. For this I recommend speaking to Jamf Make stronger to speak about it.
The opposite one, Transitive teams for SSO, is a little bit particular. Originally of this publish, I’ve been discussing the teams claims handed right into a SAML token. If we most effective have SSO enabled, or SSO and legacy LDAP for that subject, the gang club is in keeping with the teams that are returned within the SAML message, similar to:
JPRO then suits that with the teams in JPRO => Settings => JPRO Customers and Teams. So long as the mapping and price suits and the gang declare is enabled, all is excellent, and if a fit is located get admission to is granted (JPRO GUI).
Alternatively, Azure AD could also be restricting the max collection of teams in a SAML token to max 150 teams (https://medical doctors.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims).
This would doubtlessly be problematic for environments the place person are a member of greater than 150 (nested) teams. Now, from an Azure aspect, there’s no risk to raise or building up that restrict, however thankfully, JPRO has a bit of trick up its sleeves to paintings round that: Transitive teams for SSO.
While you allow Transitive teams for SSO, the gang declare within the SAML token is if truth be told omitted. As a substitute each time a person authenticates to JPRO by means of SSO, JPRO will do a search for by means of the Cloud iDP integration and fetch the entire teams the person is a member of from there and fit it with the teams outlined in JPRO => JPRO Settings => JPRO Customers and Teams to calculate get admission to and privileges.
This impacts the privileges granted for the account. So be sure you validate the extent of privileges the person will have to get as an finish lead to view of a couple of teams with other privileges.
Now, whilst SAML is also restricted to 150 teams, enabling Transitive teams for SSO might deliver a workaround for this, for those who allow a customized knob to extend the present default JPRO restrict of 150 teams for Cloud iDP lookups. As stated, as an alternative of the usage of the gang declare JPRO does a search for to the iDP and if you want greater than 150 teams to be returned (in present JPRO model), have a talk with Jamf Make stronger on to look if this can also be enabled.
My screenshot underneath is an instance on how this all suits in combination, in keeping with usernames outlined by way of onpremisessamaccountname, however as stated, other attributes can be utilized. On this instance I cross the Title ID (or Distinctive Consumer Identifier) price in keeping with the onpremisessamaccount in SAML for SSO, I map it to ‘username’ (now not electronic mail), and for Cloud iDP lookups I be sure you map the username to the similar characteristic for each the username normally as the only used for Transitive lookups:
Works like a allure!
Now, earlier than I wrap this all up, there’s another factor I’d like to name out right here. In my clarification above I discussed that for enrollment by means of SSO (Consumer Initiated Enrollment), you do NOT wish to configure any accounts or teams in JPRO => JPRO Settings => JPRO Customers and Teams, and that you simply most effective wish to:
- assign person to the JPRO app in Azure
- allow SSO for enrollment within the JPRO SSO settings
- outline if you wish to permit ‘Any identification supplier person’ (neatly, in practise that is any assigned identification supplier person, however good enough) or ‘Most effective this organization’
This is right kind, however for those who most effective do that, any finish person authenticating by means of SSO to enrol a tool will mechanically be assigned to the software within the Consumer and Location phase of the stock. They’ll now not be precipitated to make a choice which username to assign to the software.
That is good enough in customary Consumer Initiated enrollment workflows, the place it’s the precise finish person who enrols the software. Alternatively, some organisations produce other workflows in position the place corporate admins or ICT groups are if truth be told doing the enrollment for the top person. This previous to delivering the software to the top person. In such workflow the loss of having the ability to assign a person all through Consumer Initiated Enrollment with SSO might not be to hand, because the software then must be manually assigned by means of the Consumer and Location phase of the stock after enrollment. In workflows the place profiles are being driven which depend on usernames or different variables from the stock, this can also be problematic as JPRO would push out the profile earlier than the guide person project was once achieved.
On this state of affairs permit admins or ICT crew participants to sign up gadgets for finish customers by means of SSO and UIE, is to create a regular person organization (or person) in JPRO settings => JPRO Customers and Teams, and set it to ‘enrollment’ or any customized privilege set as you require. Complete admin if wanted.
Doing so will permit the ones crew participants to assign the software to the top person:
If after all the whole thing I mentioned on this publish in regards to the mappings, teams claims and attributes suits this is.
That’s it! I’m hoping this clarifies a couple of issues and lets you join the dots of the way JPRO hyperlinks all this in combination.
As at all times, for those who favored the publish, hit the like button, inform your mates about it and depart a remark down underneath!
Apple ecosystem fanatic, geek, tech system freak, Belgian dwelling within the Netherlands
Product Specialist | Jamf