OneLogin and JAMF/Casper Suite SSO Setup

I have a project to implement SSO for hosted JAMF/Casper Suite. First I setup the OneLogin virtual LDAP connection to JAMF. Then I found out there’s no way to mass import users. This was important to me because I wanted users to be able to self enroll with AD credentials. I didn’t want to import every single user individually. The answer? Claims based authentication.

Here’s the JAMF article I used to get the basic SSO setup

With this setup the token passed to JAMF includes the username or email and the group membership. With the setup you need to make sure you set the relative distinguished name to “CN”. That field is this.

img 589fe01b87240

In there make sure to type “CN”.

With the above article complete, you now need to create a STANDARD JAMF/JSS group. I repeat, a standard group.

Just go to the admin panel, click user accounts

img 589fe05e7e6c5

click the “+”

img 589fe075baeef

Create a standard group

img 589fe0959d236

In this example I will call mine “Domain Admins”

img 589fe0e211ad8

Now the group membership should be passed along, it will match this group. Thus any user that is part of the “Domain Admins” will now be logged in as an administrator into JSS/JAMF.

I quickly found out with this though that my goal of having every AD user enroll their own device into JAMF had one small problem. With the specific article I was passing the user’s group mebmership under the SAML assertion. The issue with that is I needed a matching group on the JAMF side. For some reason I could not pass “Domain Users”.  I changed things up a little bit and just setup a static value to be passed and verified. With this every domain user can enroll into JAMF, however administrators will need to manually log in.


Here are my JSS settings

img 589fe1c9ed230

Then I created a standard group called “Default” with only the enrollment security settings

img 589fe23e5958a

Finally here are my Onelogin Parameters that I passed, notice the static value

img 589fe225ef68e



With the above complete my current and new domain users are able to enroll their devices into JSS/JAMF/Casper Suites.


Leave a comment