Okta

Jamf Account Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Training Video

Watch the Integrate Okta with Jamf Account training video to learn how to configure SSO through Jamf Account.

Requirements

You must have access to your organization's Okta Identity Engine or Okta Classic Engine admin console.

  1. Log in to the Okta Admin Console.
  2. Click Applications > Applications.
  3. Click Create App Integration.
  4. In the Create a new app integration window, do the following:
    1. Select OIDC - OpenID Connect as the sign-in method.
    2. Select Web Application as the application type.
    3. Click Next.
  5. In the New Web App Integration window, do the following:
    1. Under General Settings, enter an app integration name (e.g., "Jamf Account").
    2. Under Sign-in redirect URIs, enter your region-specific URI associated with your IdP configuration. If you do not know the region in which your Jamf Cloud servers are hosted, you can add all of the redirect URIs by clicking the + Add URI button.

      • https://us.auth.jamf.com/login/callback

      • https://eu.auth.jamf.com/login/callback

      • https://au.auth.jamf.com/login/callback

      • https://jp.auth.jamf.com/login/callback

    3. Under Sign-out redirect URIs, enter https://account.jamf.com/logout.
    4. Under Assignments, select Skip group assignment for now for Controlled access, and then click Save.

      The saved application will open in a new window.

  6. On the General tab, copy the following items as you will need them later:

    • Client ID

    • Client secret

    • Okta domain

      Note:
      Retrieve this by clicking your profile name in the top-right corner. Your Okta domain will be in one of the following formats:

      • https://example.okta.com

      • https://example.oktapreview.com

      • https://example.okta-emea.com

      If you have a custom Okta domain, your server naming may vary. For more information on determining your Okta domain, see Find your Okta domain in Okta's documentation.

  7. On the Assignments tab, click the Assign pop-up menu, and then select either "Assign to People" or "Assign to Groups" and select the people or groups you want to assign the app to.
  8. (Optional) On the Sign On tab, do the following to configure Okta to send group membership information:
    1. Under OpenID Connect ID Token, select Edit.
    2. Under Group claim type, select either Filter or Expression.
    3. Under Group claim filter or Group claims expression, name the claim groups, and then add an appropriate filter or expression to send groups to Jamf Account.

      • To send all Okta groups, select a Group claim type of Filter and Groups claim filter of Matches regex with the following value: .*

      • To send up to 100 Okta groups and 100 federated on-premise Active Directory groups, select a Group claim type of Expression with the following expression value:
        Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))
        Note:

        Groups claims are limited by the size of OIDC identity tokens. Organizations with extremely large numbers of groups will want to limit the groups to less than 150 values returned. For more information on customizing the group claim and filters, see Customize tokens returned from Okta with a groups claim in Okta's documentation.

Your app integration is created. Before you connect your IdP with Jamf Account, you must verify your SSO domain. For instructions, see Verifying your SSO Domain in Jamf Account.