Single Sign-On

You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access.

SSO with Jamf Pro can be enabled for the following:

  • Jamf Pro server

    Every time an unauthenticated user attempts to access the Jamf Pro server, they will be redirected to the IdP login page unless the Allow users to bypass the Single Sign-On authentication checkbox is selected in Jamf Pro's Single Sign-On settings.

  • User-Initiated Enrollment (iOS and macOS)

    Users must authenticate with an IdP to complete User-initiated Enrollment. The username entered during SSO authentication will be used by Jamf Pro to populate the Username field in the User and Location category during an inventory update.

  • Jamf Self Service for macOS

    Users must authenticate with an IdP to access Self Service. The username entered during SSO authentication will be used by Jamf Pro for scope calculations. Self Service is able to access any existing usernames from the IdP.

Note:

  • Using SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol is recommended.

  • When configuring your IdP settings, using a SHA-256 or higher signature for SAML assertions is recommended.

Single Sign-On and LDAP

If LDAP is also integrated with Jamf Pro, keep the following in mind when configuring SSO:

  • If using LDAP users or groups for SSO, they should first be added as standard Jamf Pro users or groups in the Jamf Pro User Accounts and Groups settings.

  • If LDAP is integrated with Jamf Pro, LDAP limitations and exclusions can be used. They will be calculated by matching the username entered into the IdP during Self Service user login with the LDAP username.

  • If LDAP is not integrated with Jamf Pro, targets and exclusions for a username will be calculated by matching the username entered into the IdP during Self Service user login with Jamf Pro users accounts and groups.

Single Logout

Jamf Pro uses IdP-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions started with Jamf Pro and the IdP. Afters users complete the enrollment process, a Logout button is available. Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the enrollment experience.

SLO is not available in the following scenarios:

  • Your IdP does not provide any SLO endpoints in the metadata.

  • A Jamf Pro Signing Certificate is not set up.

When SLO is not available, a message stating that the IdP session may still be active is displayed to users. This is important for Jamf Pro administrators who cannot completely log out after performing the enrollment process for other users.

Note:

To support uncommon IdP configurations, the GET binding (less secure than POST) can be used for SAML Single Logout.

Identity Provider Configuration Settings

To implement single sign-on (SSO) with Jamf Pro, you must configure settings in your identity provider's console, portal, or a similar tool. Configuring settings in an IdP usually must be completed before you enable SSO in Jamf Pro, and some commonly used IdPs have pre-configured SSO settings specific to Jamf Pro.

Important:

Depending on your IdP, setting up SSO may require simultaneous configuration between your IdP and Jamf Pro to ensure some settings are mapped correctly. Additional settings or steps may also be required.

For IdP-specific instructions for configuring SSO, see the following articles:

For information on configuring SSO with Azure AD, see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/saas-apps/jamfprosamlconnector-tutorial.

For information on configuring SSO with Entrust Identity as a Service, see the following documentation from Entrust: https://entrust.us.trustedauth.com/documentation/help/admin/Integrate_Jamf_Pro.htm.

Enabling Single Sign-On in Jamf Pro

Note:

Enabling SSO for Jamf Pro services and applications prevents users from authenticating with all other user credentials.

Requirements

To enable single sign-on (SSO) in Jamf Pro, you need the following:

  • Integration with an identity provider (IdP) that supports SAML 2.0 protocols

  • Jamf Pro user accounts or groups with matching IdP usernames or groups

  • Administrator privileges to Jamf Pro and your IdP

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click Single Sign-On .
  3. Click Edit .
  4. Select the Enable Single Sign-On Authentication checkbox.
    Note:

    Copy the Failover Login URL and save it to a secure location.

  5. Choose your IdP from the Identity Provider pop-up menu. If your IdP is not available in the pop-up menu, choose Other.
  6. The Entity ID is pre-populated by default (e.g., "https://JAMF_PRO_URL.jamfcloud.com/saml/metadata") in Jamf Pro.
    Note:

    This value usually must match the Audience URI value in your IdP configuration settings.

  7. Choose Metadata URL or Metadata File from the Identity Provider Metadata Source pop-up menu. This value is obtained from your IdP's configuration settings.
  8. Enter a value in minutes in the Token Expiration field. This value determines the amount of time before the SAML token expires and is pre-populated depending on your IdP.
    Important:

    Make sure this value matches the token expiration settings configured in your IdP. If the values are different, users may encounter a single sign-on error when attempting to log in.

  9. Configure User Mapping settings:
    1. Select which attribute from the SAML token should be mapped to Jamf Pro users. NameID is selected by default. If you select Custom Attribute, define a custom attribute that is included in the SAML token sent from the IdP.
      Note:

      To complete the information exchange between Jamf Pro and the IdP, the SAML token sent by the IdP must include the NameID attribute for both options.

    2. Select Username or Email to determine how users in your IdP will be mapped to Jamf Pro users. By default, Jamf Pro gets information about the user from the IdP and matches it with existing Jamf Pro user accounts. If the incoming user account does not exist in Jamf Pro, then group name matching occurs.
    3. Enter the SAML token attribute that defines users in the IdP in the Attribute Name field. Jamf Pro matches each group from the Jamf Pro database and compares group names. Users will be granted access privileges from all of the groups in the same manner as a local Jamf Pro user would. AttributeValue strings may be formatted as multiple strings or a single string or semicolon-separated values.


      Example: http://schemas.xmlsoap.org/claims/Group

    4. (Optional) Use the RDN Key For LDAP Group setting to extract the name of the group from strings sent in LDAP format, Distinguished Names (DN). Jamf Pro will search the incoming string for a Relative Distinguished Name (RDN) with the specified key and use the value of the RDN Key as an actual name of the group.
      Note:

      If the LDAP directory service string contains several RDN parts with the same key (i.e., CN=Administrators, CN=Users, O=YourOrganization), then Jamf Pro will extract group names from the left-most RDN Key (CN=Administrators). If the RDN Key for LDAP Group field is left blank, Jamf Pro will use the entire LDAP format string.

  10. (Recommended) Choose an option from the Jamf Pro Signing Certificate to secure SAML communication with a digital signature. If uploading the Jamf Pro Signing Certificate, upload a signing certificate keystore (.jks or .p12) with a private key to sign and encrypt SAML tokens, enter the password to the KeyStore file, select a private key alias, and then enter the password for this key.
  11. Configure one or more of the following SSO Options for Jamf Pro:

    • Select Allow users to bypass the Single Sign-On authentication to allow users to sign in in to Jamf Pro without SSO, if they directly navigate to the Jamf Pro URL. When a user tries to access Jamf Pro via your IdP, SSO authentication and authorization still occurs.

    • Select Enable Single Sign-On for Self Service for macOS to allow users to log in to Self Service via the IdP login page. Self Service is able to access any existing usernames from the IdP.

      Note:

      • If selected, Login settings in Self Service for macOS will automatically change Self Service User Login settings to use to Single Sign-On.

      • Disabling SSO for Self Service automatically changes the Self Service User Login settings back to "Allow users to log in to view items available to them using an LDAP account or Jamf Pro user account".

    • Select Enable Single Sign-On for User-Initiated Enrollment to allow users to enroll with Jamf Pro via the IdP login page. When enabled, the username at the IdP login page will be the username Jamf Pro uses for the Username field in the User and Location category during an inventory update for a computer or mobile device. You can allow access to all users in your IdP or to restrict access to only a select group of users.

      Note:

      • If LDAP is integrated with Jamf Pro, the User and Location information will be fully populated using a lookup from Jamf Pro to LDAP.

      • If LDAP is not integrated with Jamf Pro, the Username field will be the only item populated in the User and Location category. User lookup will not work during enrollment.

  12. Click Save .
  13. (Optional) Download the Jamf Pro Metadata file.

Users will now be automatically redirected to your organization's IdP login page to access configured portions of Jamf Pro.

To test SSO authentication settings, log out of Jamf Pro and your IdP, and then navigate to your Jamf Pro URL in a web browser. Your IdP login page should display and successfully redirect you to the Jamf Pro dashboard after authentication.