Single Sign-On
You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access.
SSO with Jamf Pro can be enabled for the following:
- Jamf Pro server—
Every time an unauthenticated user attempts to access the Jamf Pro server, they will be redirected to the IdP login page unless the Allow users to bypass the Single Sign-On authentication checkbox is selected in Jamf Pro's Single Sign-On settings.
- User-Initiated Enrollment (iOS and macOS)—
Users must authenticate with an IdP to complete User-initiated Enrollment. The username entered during SSO authentication will be used by Jamf Pro to populate the Username field in the User and Location category during an inventory update.
- Jamf Self Service for macOS—
Users must authenticate with an IdP to access Self Service. The username entered during SSO authentication will be used by Jamf Pro for scope calculations. Self Service is able to access any existing usernames from the IdP.
Using SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol is recommended.
When configuring your IdP settings, using a SHA-256 or higher signature for SAML assertions is recommended.
Single Sign-On and LDAP
If LDAP is also integrated with Jamf Pro, keep the following in mind when configuring SSO:
If using LDAP users or groups for SSO, they should first be added as standard Jamf Pro users or groups in the Jamf Pro User Accounts and Groups settings.
If LDAP is integrated with Jamf Pro, LDAP limitations and exclusions can be used. They will be calculated by matching the username entered into the IdP during Self Service user login with the LDAP username.
If LDAP is not integrated with Jamf Pro, targets and exclusions for a username will be calculated by matching the username entered into the IdP during Self Service user login with Jamf Pro users accounts and groups.
Single Logout
Jamf Pro uses IdP-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions started with Jamf Pro and the IdP. Afters users complete the enrollment process, a Logout button is available. Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the enrollment experience.
SLO is not available in the following scenarios:
Your IdP does not provide any SLO endpoints in the metadata.
A Jamf Pro Signing Certificate is not set up.
When SLO is not available, a message stating that the IdP session may still be active is displayed to users. This is important for Jamf Pro administrators who cannot completely log out after performing the enrollment process for other users.
To support uncommon IdP configurations, the GET binding (less secure than POST) can be used for SAML Single Logout.
Identity Provider Configuration Settings
To implement single sign-on (SSO) with Jamf Pro, you must configure settings in your identity provider's console, portal, or a similar tool. Configuring settings in an IdP usually must be completed before you enable SSO in Jamf Pro, and some commonly used IdPs have pre-configured SSO settings specific to Jamf Pro.
Depending on your IdP, setting up SSO may require simultaneous configuration between your IdP and Jamf Pro to ensure some settings are mapped correctly. Additional settings or steps may also be required.
For IdP-specific instructions for configuring SSO, see the following articles:
For information on configuring SSO with Azure AD, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/saas-apps/jamfprosamlconnector-tutorial.
For information on configuring SSO with Entrust Identity as a Service, see the following documentation from Entrust: https://entrust.us.trustedauth.com/documentation/help/admin/Integrate_Jamf_Pro.htm.
Enabling Single Sign-On in Jamf Pro
Enabling SSO for Jamf Pro services and applications prevents users from authenticating with all other user credentials.
To enable single sign-on (SSO) in Jamf Pro, you need the following:
-
Integration with an identity provider (IdP) that supports SAML 2.0 protocols
-
Jamf Pro user accounts or groups with matching IdP usernames or groups
-
Administrator privileges to Jamf Pro and your IdP
Users will now be automatically redirected to your organization's IdP login page to access configured portions of Jamf Pro.
To test SSO authentication settings, log out of Jamf Pro and your IdP, and then navigate to your Jamf Pro URL in a web browser. Your IdP login page should display and successfully redirect you to the Jamf Pro dashboard after authentication.