Feature request: Support for new Failover URLs

[niloque]

Jamf Pro 10.45.0 introduced Failover URL Update for Single Sign-On Integrations:

New instances of Jamf Pro 10.45.0 or later enabling single sign-on (SSO) for the first time will have a failover login URL that includes a string of randomized characters for improved security.

With Jamf Pro instances using SSO, when you're trying to upload a package with JamfPackageUploader with the jcds_mode set to True, your Autopkg service account will require Update privilege on SSO settings. However, with the new Failover URLs, this will not be enough, at least according to my tests. I would like to suggest an update to the processor (please be aware I have a very basic understanding of Python and I don't know how to submit a PR 😉).

In the current version of JamfPackageUploader the function create_session contains the following line: url = jamf_url + "/?failover" which takes care of SSO without the randomized string. In order for it to work with the string, a few changes would need to be implemented.

My suggetsions:

At Line 192 (within input_variables):

"failover_id": {
    "required": False,
    "description": "Add string of randomized characters to the Jamf Failover URL",
    "default": "",
},

At Line 408:

def create_session(self, jamf_url, user, password, failover_id):
        """create session cookies for the package upload endpoint"""
        url = jamf_url + "/?failover=" + failover_id

At Line 670:

self.failover_id=self.env.get("failover_id")

At Line 882:

self.create_session(
    self.jamf_url, self.jamf_user, self.jamf_password, self.failover_id

Thanks to these changes, we could then include a flag -k failover_id=xxx in the autopkg command or even set a global variable in global Autopkg preferences plist file. I have tested this on my Jamf Beta instance with Okta SSO and it worked.

[grahampugh]

Can you explain to me that the "string of randomised characters" is? Is this supposed to be generated on the fly, or is it assigned constant for each JSS?

[niloque]

It's in the release notes for Jamf Pro 10.45.0:

New instances of Jamf Pro 10.45.0 or later enabling single sign-on (SSO) for the first time will have a failover login URL that includes a string of randomized characters for improved security. If you enabled SSO in Jamf Pro 10.44.0 or earlier, you can choose to retain your current failover URL or opt-in to use a randomly generated URL. To access this feature, navigate to Settings > System > Single sign-on. Click Regenerate to create a new failover login URL or use the Jamf Pro API /v1/sso/failover/generate endpoint. After regenerating your URL, you can no longer use the previous URL to log in to Jamf Pro.

If you forget your failover URL, you can retrieve the current failover URL using the Jamf Pro API /v1/sso/failover endpoint.

Long story short — once it's set up it's constant until an admin won't regenerate it.

[colorenz]

Would it perhaps be better to query the API for the current failover url?

https://developer.jamf.com/jamf-pro/reference/get_v1-sso-failover

[grahampugh]

Yeah, I was just thinking that - since that query shouldn't need to use the /failover URL.

[grahampugh]

Care to test? https://github.com/grahampugh/jamf-upload main branch

This grabs the failover URL from the /v1/sso/failover endpoint and uses that URL for subsequent requests. Seemed to work both when the failover URL had no string, and when it had a randomised string.

[niloque]

At first it failed but then I remembered that probably my autopkg service account doesn't have a required privilege. Found out you need to enable Read for Sso Settings and I managed to upload a package via jcds_mode. 👍🏻

[grahampugh]

Thanks for the tip about permissions - makes total sense of course. I've added that privilege to the wiki, and pushed the changes to autopkg/grahampugh-recipes. I also announced the additional privileges requirement in Slack.