SAML Token Attribute Mapping for Enrollment Customization

To send Jamf Connect user information to create a local account, you must confirm that the attribute values (also known as claims) sent in a SAML token from your identity provider (IdP) contain the correct values. On macOS, the following user values are needed to create a local account:

  • Account nameThe username that macOS uses to keep track of files and information on Mac computers. This name is also known as the short name (e.g., samantha.johnson).
  • Full nameThe user's first and last name (e.g., Samantha Johnson).

Keep the following in mind when mapping SAML attributes:

  • SAML attribute names, values, and default claims in a token vary by IdP.

  • Most ldPs allow you to customize attributes and claims to suit your configuration needs.

  • Using a SAML decoder can help you examine the contents of a SAML token for user claims.

  • Attribute values in email format can also be used for an account name. If detected, Jamf Connect will automatically use all characters preceeding the @ symbol of the email as a macOS local account name.

Configuring SAML Token Attributes from Microsoft Azure AD

Requirements

You must create an app registration for Jamf Pro in Azure AD.

For information, see the Tutorial: Azure Active Directory SSO integration with Jamf Pro documentation from Microsoft.

  1. In Azure AD, click Azure Active Directory.
  2. Navigate to your Jamf Pro SSO enterprise application.
  3. Click the Single sign-on in the left sidebar.
  4. In User Attributes & Claims click Edit.
  5. Click Add new claim.
  6. Add new claims that match the account name and account full name values needed for an Enrollment Customization. Consider the following examples:
    Claim NameValueDescription

    http://schemas.microsoft.com/identity/claims/displayname

    user.displayname

    This claim value passes a user's first and last name and can be mapped to a user's macOS local account full name.

    Note: This attribute is included by default in SAML tokens sent from Azure AD.
    <AttributeStatement>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
        <AttributeValue>Samantha Johnson</AttributeValue>
      </Attribute>
    </AttributeStatement>
    usernameuser.givenname and user.surnameThis custom attribute value uses the join() claim transformation to combine two claims into a single value. This claim name can be mapped to a user's macOS local account name.
    <AttributeStatement>
      <Attribute Name="username">
        <AttributeValue>samantha.johnson</AttributeValue>
      </Attribute>
    </AttributeStatement>

    NameID

    emailAddress

    The NameID in this example is formatted as an email address. Jamf Connect will automatically use all characters preceeding the "@" symbol of the email as a macOS local account name.

    Note: This attribute is included by default in SAML tokens sent from Azure AD, but its value may vary by environment.
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">samantha.johnson@yourorganization.com</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="ac3669a99a4djj832f59919a9gcifi"
                                     NotOnOrAfter="2020-12-23T18:06:08.719Z"
                                     Recipient="https://trial.jamfcloud.com/saml/SSO" />
      </SubjectConfirmation>
    </Subject>
  7. Click Save.

Your SAML tokens now include the required values to configure the Account Name and Account Full Name fields of an Enrollment Customization in Jamf Pro.

For confirmation, use a SAML decoder to examine the contents of a SAML token for user claims.

Configuring SAML Attributes from Okta

Requirements

You must create an app intregration for Jamf Pro in Okta.

For more information, see the Configuring Single Sign-On with Okta article.

  1. In Okta, click Applications.
  2. Navigate to your Jamf Pro SAML application that is used for SSO.
  3. Click the Sign-On tab.
  4. Click Edit.
  5. Click Add Another.
  6. Add new attribute statements that match the account name and account full name values needed for an Enrollment Customization. Consider the following examples:
    Attribute NameValueDescription
    RealNameuser.displayNameThis custom attribute value passes a user's first and last name and can be mapped to a user's macOS local account full name.
    <saml2:Attribute Name="RealName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string">Samantha Johnson</saml2:AttributeValue>
          </saml2:Attribute>
    UserShortNameuser.nickNameThis custom attribute value passes a user's Okta nickname, which is commonly formatted as "firstname.lastname". This attribute can be mapped to a user's macOS local account name.
    <saml2:Attribute Name="UserShortName"
                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string">samantha.johnson</saml2:AttributeValue>
          </saml2:Attribute>
  7. Click Save.

Your SAML tokens now include the required values to configure the Account Name and Account Full Name fields of an Enrollment Customization in Jamf Pro.

For confirmation, use a SAML decoder to examine the contents of a SAML token for user claims.