Single Sign-On

The Single Sign-On (SSO) feature allows you to integrate with a third-party Identity Provider (IdP) and implement SSO for portions of Jamf Pro. When SSO is enabled, by default users are redirected to the Identity Provider login page. After successful authentication, users are directed back to the URL they were attempting to log into.

Single Sign-On can be enabled for:

  • Jamf Pro server

  • User-Initiated Enrollment (iOS and macOS)

  • Jamf Self Service for macOS

Identity Providers

Single Sign-On can be implemented by integrating with a Security Assertion Markup Language 2.0 (SAML 2.0) Identity Provider. For information on configuring SSO in Jamf Pro with selected Identity Providers, see the Configuring Single Sign-On Settings to Work with an Identity Provider section of this guide.

Single Sign-On Settings

To configure SSO, log in to Jamf Pro and in the top-right corner of the page, navigate to Settings > System Settings > Single Sign-On.

The following table describes Single Sign-On settings:

Setting

Description

Example

Single Sign-On (SSO) Utilization

Enables Single Sign-On access for selected applications or services.

 

Allow bypass for all users

When this setting is selected, users will not be redirected to the Identity Provider login page for authentication, but can log in to Jamf Pro directly instead. When a user tries to access Jamf Pro via the Identity Provider, IdP-initiated SSO authentication and authorization occurs.

 

Additional login URL for users with privileges

Allows a Jamf Pro user account with Single Sign-On (SSO) privileges to access Jamf Pro directly when SSO is enabled. It is recommended that you copy and save the failover URL.

 

User Mapping: SAML

By default, this setting is set to “NameID” but you may define a custom attribute. To complete the information exchange between Jamf Pro and the IdP, the SAML assertion sent by the IdP must contain the NameID attribute. If using a custom attribute, the SAML assertion must contain the NameID attribute (any value) and the specified user attribute.

"NameID" or custom attribute (e.g., "User")

User Mapping: Jamf Pro

Jamf Pro maps SAML attributes sent by the IdP in the following ways: by users and by groups. When a user tries to access Jamf Pro, by default Jamf Pro gets information about the user from the Identity Provider and matches it against Jamf Pro user accounts. If the incoming user account does not exist in Jamf Pro, then group name matching occurs.

"Username" or "Email"

Group Attribute Name

In the Group Attribute Name, you may define a custom attribute. Group information should be provided in the SAML attribute sent by the IdP and can contain a list of group names. Jamf Pro matches each group from the Jamf Pro database and compares group names. Users will be granted access privileges from all of the groups in the same manner as a local Jamf Pro user would.

<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>Administrators</AttributeValue>
<AttributeValue>Jamf_Auditor</AttributeValue>
</Attribute>

Group name lists can consist of separate <AttributeValue> elements as in the example above. Jamf Pro is able to extract the list of group names from a single <AttributeValue> element if it contains a string of group names separated by semicolons.

<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>Administrators;Jamf_Auditor</AttributeValue>
</Attribute>

http://schemas.xmlsoap.org/claims/Group

RDN Key for LDAP Groups

Setting used to extract the name of the group from strings sent in LDAP format, Distinguished Names (DN). Jamf Pro will search the incoming string for a Relative Distinguished Name (RDN) with the specified key and use the value of the RDN Key as an actual name of the group. If the LDAP directory service string contains several RDN parts with the same key (i.e., CN=Administrators, CN=Users, O=YourOrganization), then Jamf Pro will extract group names from the left-most RDN Key (CN=Administrators). If the RDN Key for LDAP Groups field is left blank, Jamf Pro will use the entire LDAP format string.

"CN", "DC", "O" or similar

Entity ID

By default, Entity ID is prefilled in Jamf Pro. Use the same Entity ID when configuring your IdP settings.

https://jss.mycompany.com:8443/saml/metadata

Identity Provider

Jamf Pro supports any SAML 2.0 Identity Provider. Select your IdP to populate the Token Expiration value.

"Active Directory Federation Services", "Okta", "One Login", "Ping Identity", "OneLogin", "Shibboleth", "Google" or "Other"

Jamf Pro Signing Certificate

Optionally, you may want to generate or upload a Jamf Pro Signing Certificate to have messages to the IdP signed. Although this setting is optional, it is recommended that you always secure SAML communication with a digital signature.

If uploading the Jamf Pro Signing Certificate, upload a signing certificate keystore (.jks or .p12) with a private key to sign and encrypt SAML tokens, enter the password to the KeyStore file, select a private key alias, and enter the password for this key.

 

 

Token Expiration

Specifies Identity Provider session timeout in minutes. The Token Expiration field is populated depending on the Identity Provider you select. Ensure the value matches your IdP settings.

"460"

Jamf Pro Metadata

To get metadata from Jamf Pro, download an XML metadata file from the Single Sign-On settings page after saving your SSO configuration, or use the Jamf Pro metadata URL.

https://jss.mycompany.com:8443/saml/metadata

Authentication Using Single Sign-On

When Single Sign-On is enabled, by default Identity Providers handle the authentication of users. Authorization is based on access levels set in Jamf Pro User Accounts and Groups.

Jamf Pro Server Authentication

By default, every time an unauthenticated user attempts to access the Jamf Pro server they will be redirected to the IdP login page unless the Allow bypass for all users checkbox is selected in the Single Sign-On settings.

Jamf Self Service for macOS Authentication

When SSO is enabled for Jamf Self Service for macOS, the username entered into the ldP during authentication will be the username Jamf Pro utilizes for scope calculations. Self Service authentication is granted for any username that exists in the ldP.

Enabling SSO for Self Service automatically changes the Self Service User Login settings. The following table describes how the Self Service User Login settings are changed after enabling SSO for Self Service:

Before SSO is enabled

After SSO is enabled

Not enabled

Allow users to log in to view items available to them using Single Sign-On

Allow users to log in to view items available to them using an LDAP account or Jamf Pro user account

Allow users to log in to view items available to them using Single Sign-On

Require users to log in using an LDAP account or Jamf Pro user account

Require users to log in using Single Sign-On

Note: Disabling SSO for Self Service automatically changes the Self Service User Login settings back to "Allow users to log in to view items available to them using an LDAP account or Jamf Pro user account".

If LDAP is integrated with Jamf Pro, LDAP limitations and exclusions can be used. They will be calculated by matching the username entered into the IdP during Self Service user login with the LDAP username.

If LDAP is not integrated with Jamf Pro, targets and exclusions for a username will be calculated by matching the username entered into the IdP during Self Service user login with Jamf Pro users accounts and groups.

User-Initiated Enrollment Authentication

When SSO is enabled for User-Initiated Enrollment, the username entered into the IdP during authentication will be the username Jamf Pro inputs into the Username field in the User and Location category when updating inventory information for a computer or mobile device.

Authentication with LDAP

Authentication without LDAP

If LDAP is integrated with Jamf Pro, the User and Location information will be fully populated using a lookup from Jamf Pro to LDAP.

If LDAP is not integrated with Jamf Pro, the Username field will be the only item populated in the User and Location category. User lookup will not work during enrollment.

Single Logout

Jamf Pro uses service provider-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions started with Jamf Pro and the IdP. When users complete the enrollment process, they will be presented with a Logout button allowing them to perform SLO. Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the enrollment experience.

Single Logout will not be available if the selected IdP does not provide any SLO endpoints in the metadata, or if there is no Jamf Pro Signing Certificate set up. In such a case, users will be provided with a message advising that the IdP session might still be active. This is important for Jamf Pro administrator users who won't be able to fully log out after performing the enrollment process for other users.

Note: To support uncommon IdP configurations, the GET binding (less secure than POST) can be used for SAML Single Logout.

Requirements

To enable Single Sign-On, you need:

  • An Identity Provider (IdP) using SAML 2.0 protocols

  • Jamf Pro user accounts or groups that have matching Identity Provider usernames or groups

  • User with administrator privileges to Jamf Pro and the Identity Provider

Configuring Single Sign-On Settings to Work with an Identity Provider

To fully implement the Single Sign-On feature, you must also configure your Identity Provider settings. The workflow varies depending on the Identity Provider you use.

See the following Knowledge Base articles for recommended workflows during Identity Provider configuration:

Further Considerations

  • It is recommended that you use SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol.

  • If using LDAP users or groups for SSO, they should first be added as Jamf Pro users in the Jamf Pro User Accounts and Groups settings.

  • When configuring your Identity Provider settings, it is recommended that you use SHA-256 or higher signatures for SAML assertions.

To resolve common errors that users might experience while using Single Sign-On, see the Troubleshooting Single Sign-On in Jamf Pro Knowledge Base article.

Related Information

For related information, see the following sections in this guide:

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.