Enabling Single Sign-On in Jamf Pro

The Single Sign-On (SSO) feature allows you to integrate with a third-party Identity Provider (IdP) and implement SSO for portions of Jamf Pro. When SSO is enabled, users are automatically redirected to the Identity Provider login page. After successful authentication, users are directed back to the URL they were attempting to log into.

You must complete an SSO integration with Jamf Pro in order to use SSO authentication as part of an Enrollment Customization configuration that passes user information to Jamf Connect.

Identity Provider Configuration Settings

To implement single sign-on (SSO) with Jamf Pro, you must configure settings in your identity provider's console, portal, or a similar tool. Configuring settings in an IdP usually must be completed before you enable SSO in Jamf Pro, and some commonly used IdPs have pre-configured SSO settings specific to Jamf Pro.

Important: Depending on your IdP, setting up SSO may require simultaneous configuration between your IdP and Jamf Pro to ensure some settings are mapped correctly. Additional settings or steps may also be required.

For IdP-specific instructions for configuring SSO, see the following Knowledge Base articles:

For information on configuring SSO with Azure AD , see the Tutorial: Azure Active Directory SSO integration with Jamf Pro documentation from Microsoft.

Enabling Single Sign-On in Jamf Pro

Requirements

To enable SSO, you need the following:

  • A Jamf Connect-supported Identity Provider (IdP) that can use SAML 2.0 protocols

  • Jamf Pro user accounts or groups that have matching identity provider usernames or groups

  • User with administrator privileges to Jamf Pro and your Identity Provider (IdP)

Procedure

Note: Enabling SSO for Jamf Pro services and applications prevents users from authenticating with all other user credentials.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81941773/Icon_Settings_Hover.png .

  3. Click System Settings.

  4. Click Single Sign-On.

  5. Click Edit.

  6. Select the Enable Single Sign-On Authentication checkbox.

    Note: Copy the Failover Login URL and save it to a secure location.

  7. Choose your IdP from the Identity Provider pop-up menu. If your IdP is not available in the pop-up menu, choose "Other".

  8. The Entity ID is pre-populated by default (e.g., "https://instancename.jamfcloud.com/saml/metadata") in Jamf Pro.

    Note: This value usually must match the Audience URI value in your IdP configuration settings.

  9. Choose "Metadata URL" or "Metadata File" from the Identity Provider Metadata Source pop-up menu. This value is obtained from your IdP's configuration settings.

  10. Enter a value in minutes in the Token Expiration field. This value determines the amount of time before the SAML token expires and is pre-populated depending on your IdP.

    Important: Make sure this value matches the token expiration settings configured in your IdP. If the values are different, users may encounter a single sign-on error when attempting to log in.

  11. Configure User Mapping settings:

    1. Select which attribute from the SAML token should be mapped to Jamf Pro users. NameID is selected by default. If you select Custom Attribute, define a custom attribute that is included in the SAML token sent from the IdP.

      Note: To complete the information exchange between Jamf Pro and the IdP, the SAML token sent by the IdP must include the NameID attribute for both options.

    2. Select Username or Email to determine how users in your IdP will be mapped to Jamf Pro users. B y default, Jamf Pro gets information about the user from the IdP and matches it with existing Jamf Pro user accounts. If the incoming user account does not exist in Jamf Pro, then group name matching occurs.

    3. Enter the SAML token attribute that defines users in the IdP in the Identity Provider Group Attribute Name field. Jamf Pro matches each group from the Jamf Pro database and compares group names. Users will be granted access privileges from all of the groups in the same manner as a local Jamf Pro user would. AttributeValue strings may be formatted as multiple strings or a single string or semicolon-separated values.

      Example: http://schemas.xmlsoap.org/claims/Group

    4. (Optional) Use the RDN Key For LDAP Group setting to extract the name of the group from strings sent in LDAP format, Distinguished Names (DN). Jamf Pro will search the incoming string for a Relative Distinguished Name (RDN) with the specified key and use the value of the RDN Key as an actual name of the group.

      Note: If the LDAP directory service string contains several RDN parts with the same key (i.e., CN=Administrators, CN=Users, O=YourOrganization), then Jamf Pro will extract group names from the left-most RDN Key (CN=Administrators). If the RDN Key for LDAP Group field is left blank, Jamf Pro will use the entire LDAP format string.

  12. (Recommended) Choose an option from the Jamf Pro Signing Certificate to secure SAML communication with a digital signature. If uploading the Jamf Pro Signing Certificate, upload a signing certificate keystore (.jks or .p12) with a private key to sign and encrypt SAML tokens, enter the password to the KeyStore file, select a private key alias, and then enter the password for this key.

  13. Configure one or more of the following SSO Options for Jamf Pro:

    • Select Allow users to bypass the Single Sign-On authentication to allow users to sign in in to Jamf Pro without SSO, if they directly navigate to the Jamf Pro URL. When a user tries to access Jamf Pro via your IdP, SSO authentication and authorization still occurs.

    • Select Enable Single Sign-On for Self Service for macOS to allow users to log in to Self Service via the IdP login page. Self Service is able to access any existing usernames from the IdP.

      Notes:

      • If selected, Login settings in Self Service for macOS will automatically change Self Service User Login settings to use to Single Sign-On.

      • Disabling SSO for Self Service automatically changes the Self Service User Login settings back to "Allow users to log in to view items available to them using an LDAP account or Jamf Pro user account".

    • Select Enable Single Sign-On for User-Initiated Enrollment to allow users to enroll with Jamf Pro via the IdP login page. When enabled, the username at the IdP login page will be the username Jamf Pro uses for the Username field in the User and Location category during an inventory update for a computer or mobile device. You can allow access to all users in your IdP or to restrict access to only a select group of users.

      Notes:

      • If LDAP is integrated with Jamf Pro, the User and Location information will be fully populated using a lookup from Jamf Pro to LDAP.

      • If LDAP is not integrated with Jamf Pro, the Username field will be the only item populated in the User and Location category. User lookup will not work during enrollment.

  14. Click Save.

  15. (Optional) Download the Jamf Pro Metadata file.

Users will now be automatically redirected to your organization's IdP login page to access configured portions of Jamf Pro.

To test SSO authentication settings, log out of Jamf Pro and your IdP, and then navigate to your Jamf Pro URL in a web browser. Your IdP login page should display and successfully redirect you to the Jamf Pro dashboard after authentication.

Related Information

For related information about configuring SSO with Jamf Pro, see the Single Sign-On section of the Jamf Pro Administrator's Guide.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.