![]() ![]() ![]() Identity Provider = Other Other Provider = Enter in Cloudwork Entity ID: In the bottom left corner click Edit and turn on Single Sign-On Authentication.Under System Settings click on Single Sign On.XML fileĮxample of Cloudwork Setup Single Sign On with Jamf Pro Under XML File click download and save file as.If using Jamfcloud hosted server, use for Login URL:.If using Jamf OnPremise, use for Login URL:.If using Jamfcloud hosted server, use for ACS: Single Logout Service = Leave blank NameID Value = From the drop down select Email NameID Format = select from drop down urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Login URL:.If using Jamf OnPremise, use for ACS:.If using Jamfcloud hosted server, use for Entity ID: ACS:.If using Jamf OnPremise, use for Entity ID:.Navigate to Single Sign On> Add New Service> Custom SAML Service.We can go to our Jamf Pro webpage and authenticate now via SSO without the need to import every single user into Jamf Pro. We’re now ready to test the login to Jamf Pro using GSuite as SSO and we will grant access based on it’s group membership. In Jamf Pro > Jamf Pro User Accounts & Groups > New In my example, as I have a Cloud LDAP I’ll go there and test a lookup from Jamf Pro to G Suite for the “IT-administrators” groupĪs I didn’t have this group yet imported in Jamf Pro I’ll now go ahead and add it but if you already have LDAP groups in Jamf Pro this step can be skipped Next, let’s double-check Jamf Pro can lookup that group ![]() Let’s go to Jamf Pro > Settings > System Settings > Single Sign-On and populate the IDENTITY PROVIDER GROUP ATTRIBUTE NAME with the following: IT-administrators ![]() Ok, we’re almost done now and we just need to configure Jamf Pro to “read” the values we’re passing in the SAML message accordingly to our new setup. In there we will add the G Suite group that we want to be passed in the SAML message, in my example the LDAP group I want to grant access to Jamf Pro based on is called “IT-administrators” Once clicked on the User Information we can scroll down to the bottom and there we should see the custom attribute we created before, called Jamf custom attribute Let’s go to > Users > “my_test_user” > User information This is what will make G Suite send this custom Attribute in the SAML message Now we’re ready to tie up our user and it’s group memberhsip to the custom attribute we created. Let’s not forget to SAVE after we’re done here!Ī couple of screenshots as example of what could look like this setup We could map for example to the Department field If we selected “Employee Details” as a category we’ll have here some options. Select user field: if we used the Category of the custom attribute we created we should have here our custom name. Select a category: we can both select the same category as the one we assigned the custom attribute or choose a different category (like Employee Details for example) I’ll change this and will call my Attribute “IT-jamf-admins” We can either provide this or customize it. The important part here is that whatever we provide here will need to be matched exactly in Jamf Pro into the IDENTITY PROVIDER GROUP ATTRIBUTE NAME in the SSO configuration (we’ll review this later).īy default Jamf Pro uses an URL like the below In the “ Enter the application attribute” field we can pretty much insert anything we’d like. Here we can click on Attribute Mapping > ADD NEW MAPPING Then click on the SAML app we created and in Name: Enter the label you want to display on the user’s account page – in the example we used Then we head to Users > More > Manage Custom AttributesĪnd in there we Select > ADD CUSTOM ATTRIBUTEĬategory: the category in which you would like the custom extension attribute to be listed (in the below example we created a new one) Let’s start logging in to GSuite account with an Admin user: Jamf Pro offers a pretty seamless SSO integration with G Suite but when it comes to granting access based on Groups instead of single User accounts there’s a few gotchas that need to be taken into consideration and we’ll look into those in this article.īy default, G Suite is NOT passing user groups membership attributes into the SAML message this means that no attributes pertaining to the user group’s membership is sent over.Īs a prerequisite before we move forward let’s make sure in Jam Pro we have already configured SSO with G Suite as SAML 2.0 Identity Provider as per this KB: Configuring Single Sign-On with G Suite ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |