Single Sign-On

The Single Sign-On (SSO) feature allows you to integrate with a third-party Identity Provider (IdP) and implement SSO for portions of the Casper Suite. When SSO is enabled, by default users are redirected to the Identity Provider login page. After successful authentication, users are directed back to the URL they were attempting to log into.

Single Sign-On can be enabled for:

  • Jamf Software Server (JSS)

  • User-Initiated Enrollment (iOS and macOS)

  • Self Service for macOS

Identity Providers

Single Sign-On can be implemented by integrating with a Security Assertion Markup Language 2.0 (SAML 2.0) Identity Provider. For information on configuring SSO in the JSS with selected Identity Providers, see the Configuring Single Sign-On Settings to Work with an Identity Provider section of this guide.

Single Sign-On Settings

To configure SSO, log in to the JSS with a web browser and in the top-right corner of the page, navigate to Settings > System Settings > Single Sign-On.

The following table describes Single Sign-On settings:

Setting

Description

Example

Single Sign-On (SSO) Utilization

Enables Single Sign-On access for selected applications or services.

 

Allow bypass for all users

When this setting is selected, users will not be redirected to the Identity Provider login page for authentication, but can log in to the JSS directly instead. When a user tries to access the JSS via the Identity Provider, IdP-initiated SSO authentication and authorization occurs.

 

Additional login URL for users with privileges

Allows a JSS user account with Single Sign-On (SSO) privileges to access the JSS directly when SSO is enabled. It is recommended that you copy and save the failover URL.

 

User Mapping: SAML

By default, this setting is set to “NameID” but you may define a custom attribute. To complete the information exchange between the JSS and the IdP, the SAML assertion sent by the IdP must contain the NameID attribute. If using a custom attribute, the SAML assertion must contain the NameID attribute (any value) and the specified user attribute.

"NameID" or custom attribute (e.g., "User")

User Mapping: JSS

The JSS maps SAML attributes sent by the IdP in the following ways: by users and by groups. When a user tries to access the JSS, by default the JSS gets information about the user from the Identity Provider and matches it against JSS user accounts. If the incoming user account does not exist in the JSS, then group name matching occurs.

"Username" or "Email"

Group Attribute Name

In the Group Attribute Name, you may define a custom attribute. Group information should be provided in the SAML attribute sent by the IdP and can contain a list of group names. The JSS matches each group from the JSS database and compares group names. Users will be granted access privileges from all of the groups in the same manner as a local JSS user would.

<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>Administrators</AttributeValue>
<AttributeValue>JSS_Auditor</AttributeValue>
</Attribute>

Group name lists can consist of separate <AttributeValue> elements as in the example above. The JSS is able to extract the list of group names from a single <AttributeValue> element if it contains a string of group names separated by semicolons.

<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>Administrators;JSS_Auditor</AttributeValue>
</Attribute>

http://schemas.xmlsoap.org/claims/Group

RDN Key for LDAP Groups

Setting used to extract the name of the group from strings sent in LDAP format, Distinguished Names (DN). The JSS will search the incoming string for a Relative Distinguished Name (RDN) with the specified key and use the value of the RDN Key as an actual name of the group. If the LDAP directory service string contains several RDN parts with the same key (i.e., CN=Administrators, CN=Users, O=YourOrganization), then the JSS will extract group names from the left-most RDN Key (CN=Administrators). If the RDN Key for LDAP Groups field is left blank, the JSS will use the entire LDAP format string.

"CN", "DC", "O" or similar

Entity ID

By default, Entity ID is prefilled in the JSS. Use the same Entity ID when configuring your IdP settings.

https://jss.example.com/saml/metadata

Identity Provider

The JSS supports any SAML 2.0 Identity Provider. Select your IdP to populate the Token Expiration value.

"Active Directory Federation Services", "Okta", "One Login", "Ping Identity", "OneLogin", "Shibboleth", "Google" or "Other"

JSS Signing Certificate

Optionally, you may want to generate or upload the JSS Signing Certificate to have JSS messages to the IdP signed. Although this setting is optional, it is recommended that you always secure SAML communication with a digital signature.

If uploading the JSS Signing Certificate, upload a signing certificate keystore (.jks or .p12) with a private key to sign and encrypt SAML tokens, enter the password to the KeyStore file, select a private key alias, and enter the password for this key.

 

 

Token Expiration

Specifies Identity Provider session timeout in minutes. The Token Expiration field is populated depending on the Identity Provider you select. Ensure the value matches your IdP settings.

"460"

JSS Metadata

To get metadata from the JSS, download an XML metadata file from the Single Sign-On settings page after saving your SSO configuration, or use the JSS metadata URL.

https://jss.example.com/saml/metadata

Authentication Using Single Sign-On

When Single Sign-On is enabled, by default Identity Providers handle the authentication of users. Authorization is based on access levels set in JSS User Accounts and Groups.

JSS Authentication

By default, every time an unauthenticated user attempts to access the JSS they will be redirected to the IdP login page unless the Allow bypass for all users checkbox is selected in the Single Sign-On settings.

Self Service for macOS Authentication

When SSO is enabled for Self Service for macOS, the username entered into the IdP during authentication will be the username the JSS utilizes for scope calculations. Self Service authentication will be granted for any username that exists in the IdP.

Note: If the Self Service User Login setting was previously set to "No Login", enabling SSO for Self Service will change the setting to "Allow users to log in to the login menu". In other cases, settings remain the same.

Authentication with LDAP

Authentication without LDAP

If LDAP is integrated with the JSS, LDAP limitations and exclusions can be used. They will be calculated by matching the username entered into the IdP during Self Service login with the LDAP username.

If LDAP is not integrated with the JSS, targets and exclusions for a username will be calculated by matching the username entered into the IdP during Self Service login with JSS users accounts and groups.

User-Initiated Enrollment Authentication

When SSO is enabled for User-Initiated Enrollment, the username entered into the IdP during authentication will be the username the JSS inputs into the Username field in the User and Location category when updating inventory information for a computer or mobile device.

Authentication with LDAP

Authentication without LDAP

If LDAP is integrated with the JSS, the User and Location information will be fully populated using a lookup from the JSS to LDAP.

If LDAP is not integrated with the JSS, the Username field will be the only item populated in the User and Location category. User lookup will not work during enrollment.

Single Logout

The JSS uses service provider-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions started with the JSS and the IdP. When users complete the enrollment process, they will be presented with a Logout button allowing them to perform SLO. Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the enrollment experience.

Single Logout will not be available if the selected IdP does not provide any SLO endpoints in the metadata, or if there is no JSS Signing Certificate set up. In such a case, users will be provided with a message advising that the IdP session might still be active. This is important for JSS administrator users who won't be able to fully log out after performing the enrollment process for other users.

Note: To support uncommon IdP configurations, the GET binding (less secure than POST) can be used for SAML Single Logout.

Requirements

To enable Single Sign-On, you need:

  • An Identity Provider (IdP) using SAML 2.0 protocols

  • JSS User Accounts and Groups that have matching Identity Provider usernames or groups

  • User with administrator privileges to the JSS and the Identity Provider

Configuring Single Sign-On Settings to Work with an Identity Provider

To fully implement the Single Sign-On feature, you must also configure your Identity Provider settings. The workflow varies depending on the Identity Provider you use.

See the following Knowledge Base articles for recommended workflows during Identity Provider configuration:

Further Considerations

  • It is recommended that you use SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol.

  • If using LDAP users or groups for SSO, they should first be added as JSS users in the JSS User Accounts and Groups settings.

  • When configuring your Identity Provider settings, it is recommended that you use SHA-256 or higher signatures for SAML assertions.

To resolve common errors that users might experience while using Single Sign-On, see the Troubleshooting Single Sign-On in the JSS Knowledge Base article.

Related Information

For related information, see the following sections in this guide:

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.