Jim Zajkowski
home github feed about

Jamf Account SSO and Reversed Names from Entra

Jul 28, 2025

While setting up Jamf Account SSO (not to be confused with Jamf Pro SSO), I ran into trouble with our Entra names and how Jamf handles them:

backwards.png

The issue is our Entra accounts all come from AD sync, and in general, AD puts people names in Family, Given order. Jamf Account SSO - although configured for first and last names, seems to take the full name field, split on the first space, and assume it’s in US-centric Given Family order.

The workaround was provided to me across a few Jamf support sessions.

Follow the Jamf Account setup process first

Create an additional attribute in Azure

  • Find the Entra Enterprise Application for Jamf Account.
  • Single Sign On tab
  • Attributes and Claims
  • Click Edit
  • Add new Claim
  • Name it something like customname (you will need this name, below)
  • Create a Transformation of Join, joining user.givenname, " ", and user.surname.
transformer.png
  • Flip over to the App Registration in Entra
  • Click on Manifest under the Manage heading
  • Change the acceptMappedClaims to true
  • While in App Registration, create a new secret for the app.
  • Copy the Application ID and Directory ID from the App’s Overview.

Change from the Entra connection to Generic OIDC

  • In Jamf Account, create a new SSO provider.
  • Use Generic OIDC.
  • Enter the Client ID and secret from before.
  • For Issuer URL, use the same Authority URL
  • Click Save
  • Turn on Advanced Features (Jamf Account > Organization > Settings)
  • Go back to the SSO configuration. You should now see a Custom mapping section. Set it like this. If you used a different name than customname change it above.

Groups are TBD

 1{
 2  "mapping_mode": "use_map",
 3  "userinfo_scope": "email openid profile",
 4  "attributes": {
 5    "name": "${context.tokenset.customname}",
 6    "email": "${context.tokenset.preferred_username}",
 7    "groups": "${context.tokenset.groups}",
 8    "username": "${context.tokenset.preferred_username}",
 9    "federated_groups": "${context.tokenset.groups}",
10    "federated_locale": "${context.tokenset.locale}",
11    "federated_zoneinfo": "${context.tokenset.zoneinfo}"
12  }
13}