You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access.
SAML-based SSO with Jamf Pro can be enabled for the following:
- User-initiated enrollment (iOS and macOS) —
Users must authenticate with an IdP to complete user-initiated enrollment. Jamf Pro uses the username entered during SSO authentication to populate the Username field in the User and Location categories during an inventory update.
- Jamf Self Service for macOS —
Users must authenticate with an IdP to access Self Service. Jamf Pro uses the username entered during SSO authentication for scope calculations. Self Service is able to access any existing usernames from the IdP.
Self Service for macOS supports the FIDO2 authentication method for single sign-on.
- Jamf Pro server —When an unauthenticated user attempts to access the Jamf Pro server, they will be redirected to the IdP login page unless the Allow users to bypass the Single Sign-On authentication checkbox is selected in Jamf Pro single sign-on settings.Note:Jamf recommends that administrators with supported environments use the SSO integration through Jamf Account to ensure full access to all upcoming features. You can enable the SSO integration through Jamf Account alongside SSO with SAML for end users. For more information, see SSO with OIDC Through Jamf Account.
Jamf recommends using SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol.
Jamf recommends configuring your IdP settings using a SHA-256 or higher signature for SAML assertions.