I filed a ticket with Jamf a few months ago, so I think I know the answer to this but I want to make sure.
Is there a way to enable SSO if your Jamf Pro URL points to web apps in limited access mode exposed to the internet while the URL you use for web console logins in internal-only? In my testing, we had to disable limited access mode on the web apps in the DMZ and expose our console login to the public internet which is less than desirable. Even if we manually modified the SSO XML file with our internal URL, this wouldn't work. The only solution we could find was to disable limited access in the DMZ.
Is this still accurate?
