Requirements
An Okta account
A valid Okta administrator account with the Application Administrator role assigned, or a role that includes the same permissions
If you have more than 100 groups in Okta, specify the target groups under in Jamf Security Cloud.
- Create a Jamf SSO app in Okta:
- Log in to your Okta admin console.
- Navigate to .
- Click Create App Integration.
- Select OpenID Connect for your sign-in method.
- After selecting OpenID Connect, the menu automatically drops down to the application type.
- Select Native Application for your application type.
- Click Next.
- On the New Native App Integration page that appears, configure the page as follows:
App integration name: Add a user-friendly name (for example, "Jamf End User SSO") and icon.
For Grant type, select Refresh Token. By default, Use persistent token will also be selected after you click Save below.
In the
Sign-in redirect URIs fields, enter the required URls based on the platforms in the following table:
| Platform | URl |
|---|
| iOS / iPadOS | com.jamf.trust-auth://login |
| Android | wandera-auth://login |
| macOS | com.jamf.trust-auth://login |
| Windows | http://localhost:4566/ |
In the
Sign-out redirect URIs fields, enter the required URls based on the platforms in the following table:
| Platform | URl |
|---|
| iOS / iPadOS | com.jamf.trust-auth://logout |
| Android | wandera-auth://logout |
| macOS | com.jamf.trust-auth://logout |
| Windows | N/A |
In the
Controlled Access section, select
Skip group assignment for now.
Note:This option allows you to skip assignment until after the application has been created.
Click Save.
- In the General Settings section, click Edit.
- In the User consent section, deselect Require consent.
Note:If this section is unavailable, navigate to Enable consent for scopes in Okta's documentation for additional information.
- Click Save.
- On the Sign On tab, find the Token claims section, click Show legacy configuration, then click Edit.
- For Groups claim filter, change "Starts with" to "Matches regex" .
Note:If you have more than 100 groups in Okta, change "Starts with" to Equals.
- Enter
.* in the value field.Note:If you have more than 100 groups in Okta, enter a group name in the value field. For example, you may have named a group as IT or Zero Trust Network Access
When using Identity-Based Provisioning, you can activate devices in different ways, based on a user's Okta group memberships. For more information, see Enabling Identity-Based Provisioning with Jamf Security Cloud.
- Click Save.
- On the Assignments tab, define the users and groups that are permitted to activate Jamf Security Cloud using their Okta credentials.
Note:Jamf recommends assigning this permission to all users for post-pilot/production deployments, but you may want to assign to individuals initially for testing purposes.
- Return to the General tab, and click the Copy to Clipboard icon corresponding to the Client ID.
- Create an Okta IdP connection in Jamf Security Cloud:
- Sign in to Jamf Security Cloud, then navigate to .
- Under Okta, click Add connection.
- Enter a connection name. Jamf recommends using your Okta Org name.
- Provide the full hostname of your Okta Organization Domain.
This is usually in the format company.okta.com or is a custom Okta Org hostname configured in Okta, for example, okta.company.com.
- Paste the Client ID, copied from the Okta console in a previous step, into the Client ID field.
- Click Test and Save.
- Repeat these steps for any other Okta connections as required.
Okta authentication is now configured.
The connection is now available when is selected for User Credentials (SSO) in the Authentication section within all defined Activation Profiles.
When users use an Activation Profile linked to an Okta connection, they will be prompted to sign in using Okta.