Enabling SSO with SAML in Jamf Pro

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

To enable SSO with SAML for end users, you must configure settings in both your IdP's console and Jamf Pro.

You must configure settings for your IdP before you enable SSO in Jamf Pro. In some environments, simultaneous configuration between your IdP and Jamf Pro is required.

Note:

Enabling SSO for Jamf Pro services and applications prevents users from authenticating with standard and directory credentials. Jamf recommends that you notify users about changes to the authentication experience in your organization when enabled.

Requirements

  • Integration with an identity provider (IdP) that supports SAML 2.0 protocols. For more information, see the following:

  • TCP connectivity from the Jamf Pro server to the identity provider

  • Jamf Pro user accounts or groups with matching IdP usernames or groups

  • Administrator privileges to Jamf Pro and your IdP

  • If you are enabling the failover URL as an option for users to access Jamf Pro, and SSO authentication is enabled, the Jamf Pro user accounts need Read and Update privileges for SSO Settings in Jamf Pro. For more information, see Creating a Jamf Pro User Account.

  1. In Jamf Pro, click Settings in the sidebar.
  2. In the System section, click Single sign-on .
  3. Click Edit .
  4. Select Enable SSO Authentication to enable the configuration.
  5. Do one of the following:

    • If you are using Jamf Account for administrator SSO, select Use SAML authentication for end users (using IdP settings from Jamf Pro) to enable SAML authentication for end user SSO.

    • If you are only using SAML authentication for SSO, select SAML authentication.

    Note:

    In the Failover Login URL box, click Copy to clipboard, and then save the failover login URL to a secure location. This URL will allow you to log in using your Jamf Pro credentials after SSO is enabled.

  6. Choose your IdP from the Identity Provider pop-up menu.

    If your IdP is not listed, choose "Other" and enter your IdP's name in the Other Provider field. The Entity ID field is pre-populated by default (e.g., "https://JAMF_PRO_URL.jamfcloud.com/saml/metadata").

    Note:

    For most IdPs, the Entity ID value should match the Audience URI value in the IdP's configuration settings.

  7. Select an option to configure the Identity Provider Metadata Source setting:
    • Metadata FileAllows you to upload a metadata file in XML format.
    • Metadata URLYou must obtain this URL from your IdP's configuration settings (e.g., the "Audience URI" or "Audience Restriction").
  8. (Optional) (Okta only) Enable the Token Expiration Time Override if you need to override the default token expiration period.

    When enabled, the value in minutes determines the amount of time before the SAML token expires. The field is pre-populated with the default value determined by Okta. If you override the default value, you must ensure the new value matches the token expiration settings configured in Okta.

    The Token Expiration Time Override setting is set to Disabled by default in Okta and the default expiration time is used.

    Important:

    Jamf Pro users or end users using enrolled devices may encounter login errors if the Token Expiration Time Override setting is enabled. To prevent these errors, you may want to disable the Token Expiration Time Override setting. This will stop Jamf Pro from verifying the token's lifetime, which is controlled and verified by your IdP. Alternatively, you can ensure that the token expiration time set in Jamf Pro exceeds the expiration time configured by your IdP. However, issues may still occur if the token expiration time dynamically changes.

  9. Select an option in the Identity Provider User Mapping setting to define which attribute from the SAML token should be mapped to Jamf Pro users:
    • NameIDDefault attribute name
    • Custom AttributeAllows you to enter a custom attribute name that is included in the SAML token sent from the IdP
  10. Click Username or Email for Jamf Pro User Mapping.

    These options determine how users in your IdP will be mapped to Jamf Pro users. By default, Jamf Pro gets information about the user from the IdP and matches it with existing Jamf Pro user accounts. If the incoming user account does not exist in Jamf Pro, then group name matching occurs.

  11. Enter the SAML assertion attribute that defines users in the IdP in the Identity Provider Group Attribute Name field.

    Jamf Pro matches each group from the Jamf Pro database and compares group names. Each user will be granted access privileges from all of the groups in the same manner as a local Jamf Pro user would. AttributeValue strings may be formatted as multiple strings, a single string, or semicolon-separated values.

    Example:http://schemas.xmlsoap.org/claims/Group
  12. (Optional) Use the RDN Key for LDAP Group field to extract the name of the group from strings sent in LDAP format, Distinguished Names (DN).

    Jamf Pro searches the incoming string for a Relative Distinguished Name (RDN) with the specified key and use the value of the RDN Key as an actual name of the group.

    Note:

    If the directory service string contains several RDN parts with the same key (e.g., CN=Administrators, CN=Users, O=YourOrganization), Jamf Pro will extract group names from the first RDN Key (e.g., CN=Administrators). If you leave the RDN Key for LDAP Group field blank, Jamf Pro will use the entire LDAP format string.

  13. (Optional) Select the Security checkbox and choose one of the following Jamf Pro Signing Certificate options to establish a secure SAML communication:
    • Generate CertificateAllows you to generate a signing certificate if you are not providing your own.
    • Upload CertificateAllows you to upload your own signing certificate. If you are uploading the Jamf Pro signing certificate, upload a signing certificate keystore (.jks or .p12) with a private key to sign and encrypt SAML tokens, enter the password to the keystore file, select a private key alias, and then enter the key password.
    Note:

    You can re-upload the Jamf Pro signing certificate if your previous certificate is about to expire. Additionally, for some IdPs, you may need to download the certificate and include it in your IdP configuration settings.

  14. (Optional) Click Single Sign-On Options for Jamf Pro to configure the following additional options:
    • Allow users to bypass the Single Sign-On authentication

      Allows users to sign in to Jamf Pro without SSO, if they directly navigate to the Jamf Pro URL. When a user tries to access Jamf Pro via your IdP, SSO authentication and authorization still occurs.

    • Enable Single Sign-On for Self Service for macOSAllows users to sign in to Self Service via the IdP login page. Self Service is able to access any existing usernames from the IdP.
      Note:

      • Enabling this option automatically changes the Authentication Type in Settings > Self Service > macOS > Login to Single Sign-On.

      • Disabling this option automatically changes the Authentication Type in Settings > Self Service > macOS > Login to Directory Service account or Jamf Pro user account.

      • FIDO2 must be configured through your IdP and enabled in Jamf Pro.

    • Enable Single Sign-On for User Authentication during Enrollment

      Allows users to enroll via the login page of their identity provider during user-initiated enrollment, account-driven User Enrollment, and account-driven Device Enrollment. When enabled, the username used for the IdP login page will become the username Jamf Pro uses for the Username field in the User and Location category during inventory updates. You can click Any identity provider user to allow access for all users in your IdP, or click Only this group to restrict access to a select group of users.

      Note:

      • If a directory service is integrated with Jamf Pro, the User and Location information will be fully populated using a lookup from Jamf Pro using a lookup from the a directory service.

      • If a directory service is not integrated with Jamf Pro, the Username field will be the only item populated in the User and Location category. User lookup will not work during enrollment.

  15. Click Save .
  16. (Optional) Click Download to download the Jamf Pro metadata XML file.
    Some IdPs require you to upload the metadata file to properly configure SAML. The file contains several important URLs that let the IdP know where to send a user, as well as how to verify with Jamf Pro.

    • EntityDescriptor: jamfproURI/saml/metadata

    • SingleLogoutService: jamfproURI/saml/SingleLogout

    For other IdPs, no metadata file is required. This allows for quicker setup since all required information will be provided in the system automatically.

Users are now automatically redirected to your organization's IdP login page to access configured portions of Jamf Pro.