Free Classlink

[Salomon Thoj]

Im not sure if this functionality exists for MacOS, but it does for Chromebooks, and it's pretty amazing, so we'd like to leverage it for our iMac labs at the very least, and if it works there maybe go org-wide with it. The problem is I'm not sure what method to attack this problem with.

I know that Macs support Kerb/SSO authentication, and also that Google's SecureLDAP can work for macOS as well, but what I really want is for the login screen to show me a Classlink login page so users can sign in with a QR code badge.

Since our Google accounts use Classlink as their IDP and show the splash page when you try to log into them via web browser, I started going down the rabbit hole of getting a test machine bound to Google Secure LDAP, thinking it might spawn a splash page for Classlink login. But now I'm realizing that mechanism probably won't happen.

I realize I'm sort of rambling here, but I'd be interested in anyone else's experience getting to an IDP login screen on MacOS where you can scan in using a badge, regardless of platform or mechanism.

"We had the same problem, and we use Classlink as an IDP for Google. I could only get an account created with a manually defined username in the config profile. Since Google takes us to the separate classlink page, I think thats why the username isn't getting pulled. It would be nice if we could do the same thing as passwords, defining the elementID field, since there is no @email.com part in our login, though I'm not 100% thats the best solution."

"I am testing xCreds with Google. We are using Google as a Single sign-on (SSO) with a third-party identity provider --> Classlink.com. XCreds will go to Google then to Classlink back to Google without passing the authenication back to xCreds. How can I get xCreds to see the authenication?"

We're personally looking to get rid of NoMAD this year so this is something I will test myself in the next few months. NoMAD is still working great for us in a K-12 shared lab setting, even on the latest Ventura.. I just don't like how it's kind of a ghost project at this point. It would also be nice to use our ClassLink IdP. XCreds is all written in Swift and a modern solution (if not cutting-edge).

Just coming back to this thread due to notifications. Honestly thank you for the detailed reply! Would love to hear more about how it's going for you. We're still binding macs to AD and using mobile accounts + Enterprise Connect (since Apple KSSO can't sync passwords in this circumstance), but I'm looking to test out local accounts + JamfConnect sometime when I get enough time to do some research (probably the 12th of Never, but hoping maybe after the fall ticket rush).

Hi there. I looked into integrating XCreds with ClassLink heavily. I ultimately found that I need TwoCanoes to work with ClassLink to build an integration, there's no way to get a client secret, etc.. without being a ClassLink Developer. Tim @ TwoCanoes said he would be open to building this. ClassLink doesn't charge software vendors for integrations. I'm not quite sure where he's at with that, I haven't heard from him lately.

I'd really like to get it to work because XCreds is a small fraction of the cost of Connect, even with Education pricing. XCreds is $1 per device, per year (Education) which is unbelievably cheap. And that would come with support. Jamf support has really gone downhill in my experience.

Apple is also teasing Platform SSO with Sonoma. I'm not quite sure what that looks like yet. Not holding my breath on it personally, I'd totally pay for XCreds @ $500 per device / year, with support. We have some devices that won't support Sonoma that we still need the ability to let any user login.

For sure. ClassLink has been awesome for us btw. Wasn't aware of the no P.O. thing, hadn't even gotten that far with them. Good to know, as that could be an issue for us as well (we're K-12). Connect will be a little more turn-key and easier to implement. We piloted it in its early stages, but switched to NoMAD because Connect's main advantage is giving a remote user a fresh device, and they can sign in and create an account off-network, and we're just never really doing that, so didn't want to pay for something we weren't going to take advantage of.

With the school year winding down I found some time to try and get this to work. Essentially we're trying to get away from using NoMAD now that it's end-of-life. Our Jamf rep got us some kind of bundle deal with a bunch of Jamf Connect licenses. We're currently still using NoMAD in shared labs and some shared laptops.

Loads a generic ClassLink page unfortunately, even with everything set up correctly. I can find our domain by typing one word, select it, and then get brought to our personal ClassLink login page. From there I can successfully login.

ClassLink has stated "The redirect to the generic ClassLink page is intended with the OIDC/OAuth2 workflow. The reason being is this will allow for universal functionality. Unfortunately we cannot manipulate the issuer url to redirect your login page."

Shows a Google login page. User has to enter a valid email, and it will then direct them to a ClassLink login page. This is the behavior I was expecting unfortunately. Our Google Workspace is setup so that ClassLink is our primary IdP for SSO. So Google essentially just points to ClassLink. Our Chromebooks show a ClassLink login screen, although that's SAML which Jamf Connect doesn't support. It would just be a quality-of-life improvement to not require Students and Staff to have to enter their full email, and then username and password.

Both options are working in the sense that cloud identities can successfully sign in and have a local account created. But I'm just not quite happy with either for the reasons stated. I think we're still going to proceed with Google for now. I have the Jamf Connect menu bar app set to sync passwords with Google LDAP and that seems to be working fine. That should play nicely with either Login Window IdP.

I did have a call today with ClassLink and they said they will reach out to Jamf to try and build a proper integration. If this is something you're interested in, I suggest you let your ClassLink and Jamf rep(s) know.

I tried literally everything to accomplish the above for either ClassLink or Google, and hit a wall. I did a bunch of digging through OIDC documentation and found that there is a parameter which Google's implementation could accept called 'hd' - "Streamline the login process for accounts owned by a Google Cloud organization. By including the Google Cloud organization domain (for example, mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that domain." - -connect/openid-connect#hd-param.

So the current plan is to still go the Google + Jamf Connect route to get off of NoMAD, and hopefully in the future ClassLink and Jamf have officially partnered and we can switch to using ClassLink for the Login Window.

Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. Learn about Jamf.

This site contains User Content submitted by Jamf Nation community members. Jamf does not review User Content submitted by members or other third parties before it is posted. All content on Jamf Nation is for informational purposes only. Information and posts may be out of date when you view them. Jamf is not responsible for, nor assumes any liability for any User Content or other third-party content appearing on Jamf Nation.

Starting this summer, St. Vrain Valley Schools will have a new site, ClassLink, to access district resources for students and staff. ClassLink will replace Ceran and will also provide single sign-on to many resources and a user customizable interface. classlink.svvsd.org

3a8082e126