After you have created an OIDC app in your identity provider (IdP) and verified the single sign-on (SSO) domain, you must add an SSO connection to Jamf Account.
If you need to update the connection type or region in the future, you must delete the SSO connection and create a new one in
Jamf Account.
Warning:If you are currently logged in to a Jamf app with the IdP connection you are deleting, do not log out before setting up a new connection, or ensure you have another method for logging in, such as Jamf ID.
- Navigate to and click New Connection.
- Under Connection Settings, click the Connection Type pop-up menu, and select the applicable option for your IdP:
- Microsoft Entra ID —
Choose
Entra or
Generic OIDC based on the following permission requirement:
If your organization can grant the Directory.Read.All permission, choose
If your organization cannot grant the Directory.Read.All permission, choose
Note:Keep the following in mind when working with Microsoft Entra ID:
Jamf recommends using the Entra connection type for most environments. For further assistance deciding which connection type best suits your environment, contact Jamf Support.
If you are a Microsoft Entra GCC High customer, the option in Jamf Account is not compatible with your environment. Use the option instead. Contact Jamf Support for guidance specific to your configuration.
With Generic OIDC, group names default to their Entra ID GUIDs instead of their display names. You must ensure the group names in Jamf Pro match the Entra ID GUIDs.
Fill in the following required fields with values from your IdP:
Client ID
Client Secret value
(Entra connection type only) Microsoft Entra ID Domain
(Entra connection type only) Tenant Domain
(Generic OIDC connection type only) Issuer URL
Note:Keep the following in mind when entering IdP values:
For the Issuer URL, enter the Entra ID "Open ID Connect Metadata Document" URL. For Entra ID commercial tenants, this URL should have the following format: https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration.
To use a group name in Jamf Pro User Accounts & Groups for assigning privileges, select Get User Groups under Attributes.
For more information, see Microsoft Entra ID Connection Settings in Jamf Account.
- Okta —
Choose and fill in the following required fields with values from your IdP:
For more information, see Okta Connection Settings in Jamf Account.
- Google Identity —
Choose and fill in the following required fields with values from your IdP:
Issuer URL
Client ID
Client Secret value
For more information, see Google Identity Connection Settings in Jamf Account.
- OneLogin —
Choose and fill in the following required fields with values from your IdP:
Issuer URL
Client ID
Client Secret value
For more information, see Configuring OneLogin for SSO Integration with Jamf Account.
- JumpCloud —
Choose and fill in the following required fields with values from your IdP:
Issuer URL
Client ID
Client Secret value
For more information, see Configuring JumpCloud for SSO Integration with Jamf Account.
- PingOne —
Choose and fill in the following required fields with values from your IdP:
Issuer URL
Client ID
Client Secret value
For more information, see Configuring PingOne for SSO Integration with Jamf Account.
- Under IdP group name filter, enter specific strings. Press the Return key to separate multiple strings.
Best Practice:If your IdP user is scoped to 100 or more groups, Jamf recommends using the filter to customize which groups are allowed. By default, all groups are allowed. You can add multiple strings, and use "and" to require group names to match all entered strings, or use "or" to require group names to match any of the entered strings. The group filter is case sensitive.
- Under Session options, enter preferred session duration and inactivity timeout.
Note:Keep the following in mind when configuring session options:
Inactivity timeout refers to a period of time in which there is no user interaction with an app. Inactivity timeout typically has a shorter time frame than session duration.
Session duration refers to a period of time an app is usable before re-signing in is required.
These settings are respected by any app using your IdP.
- Under Associated Domains, select the domain of the IdP that was previously verified.
Note:Keep the following in mind when working with domains.
At least one domain must be set when saving a connection in Jamf Account.
To configure multiple IdPs for the same domain, you must first enable advanced features under . Login pages for selected apps will display an IdP connection selector. Ensure your connections are clearly labeled.
Unverified users have email domains that do not match your organization's verified domain. If you want those users to access Jamf Account with their IdP credentials, or if those users should not be assigned to your organization, you can remove them on the Users & contacts page.
- Select the applications that will use this connection.
- Copy the callback URL to add it to your own IdP.
- Click Save.
The IdP configuration is saved and the account contacts are verified.
The single-sign on (SSO) connection is now ready to use. The SSO connection allows users configured in the IdP to log in using SSO for all enabled Jamf applications.
Note:Users can still log in to Jamf applications using Jamf ID if desired by clicking Continue with Jamf ID.
Specific user authorization roles and permissions must be configured in each Jamf application.