SAML Token Configuration for Enrollment Customization

To send Jamf Connect user information to create a local account, you must confirm that the attribute values (also known as claims) sent in a SAML token from your identity provider (IdP) contain the correct values. On macOS, the following user values are needed to create a local account:

  • Account name—The username that macOS uses to keep track of files and information on Mac computers. This name is also known as the short name (e.g., samantha.johnson).

  • Full name—The user's first and last name (e.g., Samantha Johnson).

To ensure these values are formatted correctly and meet your organization's needs, you must do the following:

  1. Configure and test SAML tokens sent from your IdP to make sure they include attribute statements with these values.

  2. Map the attributes names to the Account Name and Account Full Name fields of an Enrollment Customization in Jamf Pro.

Keep the following in mind when mapping SAML attributes:

  • SAML attribute names, values, and default claims in a token vary by IdP.

  • Most ldPs allow you to customize attributes and claims to suit your configuration needs.

  • Using a SAML decoder can help you examine the contents of a SAML token for user claims.

  • Attribute values in email format can also be used for an account name. If detected, Jamf Connect will automatically use all characters preceeding the "@" symbol of the email as a macOS local account name.

Configuring SAML Token Attributes from Microsoft Azure AD

Requirement

A Jamf Pro SSO integration in Microsoft Azure AD
For information, see the Tutorial: Azure Active Directory SSO integration with Jamf Pro documentation from Microsoft.

Procedure

  1. In Azure AD, click Azure Active Directory.

  2. Navigate to your Jamf Pro SSO enterprise application.

  3. Click the Single sign-on in the left sidebar.

  4. In User Attributes & Claims click Edit.

  5. Click Add new claim.

  6. Add new claims that match the account name and account full name values needed for an Enrollment Customization. Consider the following claim name, value, and token XML examples:

    Claim Name

    Value

    Description

    SAML Token XML

    http://schemas.microsoft.com/identity/claims/displayname

     

    user.displayname

    This claim value passes a user's first and last name and can be mapped to a user's macOS local account full name.

    Note: This attribute is included by default in SAML tokens sent from Azure AD.

    <AttributeStatement>
    <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
    <AttributeValue>Samantha Johnson</AttributeValue>
    </Attribute>
    </AttributeStatement>

    username

    user.givenname and user.surname

    This custom attribute value uses the join() claim transformation to combine two claims into a single value. This claim name can be mapped to a user's macOS local account name.

    <AttributeStatement>
    <Attribute Name="username">
    <AttributeValue>samantha.johnson</AttributeValue>
    </Attribute>
    </AttributeStatement>

    NameID

     

    emailAddress

    The NameID in this example is formatted as an email address. Jamf Connect will automatically use all characters preceeding the "@" symbol of the email as a macOS local account name.

    Note: This attribute is included by default in SAML tokens sent from Azure AD, but its value may vary by environment.

    <Subject>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">samantha.johnson@yourorganization.com</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData InResponseTo="ac3669a99a4djj832f59919a9gcifi"
    NotOnOrAfter="2020-12-23T18:06:08.719Z"
    Recipient="https://trial.jamfcloud.com/saml/SSO" />
    </SubjectConfirmation>
    </Subject>

    For more information about customizing user attributes and claims in a SAML token from Azure AD, see the How to: customize claims issued in the SAML token for enterprise applications documentation from Microsoft.

  7. Click Save.

Your SAML tokens now include the required values to configure the Account Name and Account Full Name fields of an Enrollment Customization in Jamf Pro. For confirmation, use a SAML decoder to examine the contents of a SAML token for user claims.

Configuring SAML Attributes from Okta

Requirement

A Jamf Pro SSO integration in Okta
For more information, see the Configuring Single Sign-On with Okta Knowledge Base article.

Procedure

  1. In Okta, click Applications.

  2. Navigate to your Jamf Pro SAML application that is used for SSO.

  3. Click the Sign-On tab.

  4. Click Edit.

  5. Click Add Another.

  6. Add new attribute statements that match the account name and account full name values needed for an Enrollment Customization. Consider the following attribute name, value, and token XML examples:

    Attribute Name

    Value

    Description

    SAML Token XML

    RealName

    user.displayName

    This custom attribute value passes a user's first and last name and can be mapped to a user's macOS local account full name.

    <saml2:Attribute Name="RealName"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:type="xs:string">Samantha Johnson</saml2:AttributeValue>
    </saml2:Attribute>

    UserShortName

    user.nickName

    This custom attribute value passes a user's Okta nickname, which is commonly formatted as "firstname.lastname". This attribute can be mapped to a user's macOS local account name.

    <saml2:Attribute Name="UserShortName"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:type="xs:string">samantha.johnson</saml2:AttributeValue>
    </saml2:Attribute>

    For more information about customizing user attributes and claims in a SAML token from Okta, see this documentation from the Okta Developer website.

  7. Click Save.

Your SAML tokens now include the required values to configure the Account Name and Account Full Name fields of an Enrollment Customization in Jamf Pro. For confirmation, use a SAML decoder to examine the contents of a SAML token for user claims.

Related Information

For related information about testing and decoding SAML tokens, see the following resources:

Google Chrome SAML Message Decoder Extension
A Google Chrome web extension that can help troubleshoot SSO events on your computer.

Auth0 SAML Token Debugger
A website from Auth0 that decodes SAML tokens.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.