Integrating with Cloud Identity Providers

Integrating with Cloud Identity Providers, which is similar to integrating with an LDAP directory service, allows you to do the following:

  • Look up and populate user information from the secure LDAP service for inventory purposes.

  • Add Jamf Pro user accounts or groups from the secure LDAP service.

  • Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.

  • Require users to log in during mobile device setup using their LDAP directory accounts.

  • Base the scope of remote management tasks on users or groups from the secure LDAP service.

To integrate Jamf Pro with a Cloud Identity Provider you need to provide detailed information about the identity provider and upload a keystore or certificate file.

Jamf Pro allows you to integrate with Google's secure LDAP service that is a part of G Suite Enterprise and Cloud Identity Premium. The service can be used with Jamf Pro for user authentication and group syncing.

Note: Users assigned to Cloud Identity Free or G Suite Basic/Business licenses are not allowed to authenticate in Jamf Pro. When such a user tries to authenticate, the INSUFFICIENT_ACCESS_RIGHTS (50) error code is displayed in Jamf Pro logs. For information on Secure LDAP service error codes, see the following documentation from Google: https://support.google.com/a/answer/9167101

Cloud Identity Free or G Suite Basic/Business assigned users display in user lookup results and you can add them as Jamf Pro LDAP accounts.

Secure Google LDAP service requires a different configuration than standard LDAP servers. For instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access permissions, and download the generated certificate, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9048516

After you have added Jamf Pro as an LDAP client, you need to generate the .p12 keystore file. For more information, see the Generating the PKCS12 Keystore File When Integrating Google Cloud Identity Provider with Jamf Pro Knowledge Base article.

Adding a Google Identity Provider Instance

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81532253/Settings_Icon.png .

  3. Click System Settings.

  4. Click Cloud Identity Providers images/download/thumbnails/81532253/icon-CloudIdentityProviders.png .

  5. Click New images/download/thumbnails/81532253/Icon_New_Button.png .

  6. Configure the settings on the pane. Consider the following limitations:

    • The display name for the configuration must be unique.

    • The Domain name value automatically populates the Search Base dc values on the User Mappings and User Groups Mapping tabs.

  7. Use the Mappings pane to specify object class and search base data, and map attributes. When configuring the search base, structure the server query in the order that reflects the hierarchical structure of your directory tree to ensure the search returns correct results.

  8. Click Save images/download/thumbnails/81531754/floppy-disk.png .

The LDAP server connection configuration is enabled by default. To disable the configuration, use the switch. Disabling the configuration prevents Jamf Pro from querying data from this secure LDAP server. This means you can add a different instance without deleting the current configuration.

You can also configure attribute mappings for your Google's secure LDAP service instance using Jamf Pro API. For more information, see the Configuring Cloud Identity Provider Attribute Mappings Using Jamf Pro API Knowledge Base article.

Saving an LDAP server connection triggers automatic verification of the hostname, port, and domain. The verification process must succeed before the connection is ready to use.

Important: In large environments, the verification process for valid configurations may fail. Ensure the values in the form are correct and try saving the configuration again.

When troubleshooting the failed Google's secure LDAP service connection, navigate to Reports in your Google Admin console, and check the LDAP audit log.

Testing Cloud Identity Provider Attribute Mappings

You can test the following attribute mappings:

  • User mappings

  • User group mappings

  • User group membership mappings

If Jamf Pro returns the appropriate information, the attributes are mapped correctly.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81532253/Icon_Settings_Hover.png .

  3. Click System Settings.

  4. Click Cloud Identity Providers images/download/thumbnails/81532253/icon-CloudIdentityProviders.png .

  5. Click the instance name you want to test.

  6. Click Test images/download/thumbnails/80748624/verification.png .

  7. Click the appropriate tab and enter information in the fields provided.

  8. Click Test again.

Related Information

For related information, see the following sections in this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.