Adding an Identity Provider Mapping

Jamf Protect Documentation

Solution

Application

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

Identity provider (IdP) mappings automatically assign roles to users based on IdP group membership, when Jamf Account SSO is used to log in to the macOS Security portal. When a user signs in, Jamf Account uses an ID token from the IdP to look for groups that are mapped to a role in macOS Security.

Important:

The Default group in the macOS Security portal is assigned the Full Admin role by default. New users are automatically added to the Default group during their initial sign-in. Before configuring roles, you should change the role of the Default group to Read Only or to a custom role, to ensure all users are not given Full Admin permissions upon sign-in.

Requirements

Jamf Account configured as the SSO provider
The IdP group names used for mapping must contain the string jamf (case insensitive), unless an alternative filter is configured in Jamf Account

In Jamf Protect, click Administrative > Account.
Click Identity Providers.
Locate the Jamf Account SSO identity provider that you want to configure mappings for.
Click Add Mapping.
Enter a group name from your organization's identity provider in the Identity provider group name field.
From the Roles menu, choose one or more roles to apply to members of the IdP group.
(Optional) Select Use as Access Group to make membership in this group required for access to your macOS Security portal.
Warning:
When you create an access group, any users who are not a member of an access group will no longer be able to access your macOS Security portal. Make sure that you, and all other users, are a member of an access group in your identity provider before saving this mapping.
Click Save.

Users with a membership to the group can sign in to the macOS Security portal using Jamf Account SSO and are assigned the roles associated with their identity provider groups, as specified in the mappings.