Jamf Blog
IT admin is using single sign-on to log in to computer managed by Jamf.
July 6, 2023 by Christie Vick

Admin SSO now available for Jamf Account

Learn how to seamlessly set up an identity provider (IdP) in your Jamf Account with our step-by-step guide, and take advantage of single sign-on authentication at the admin level.

We’re excited to be able to offer the advantages of single sign-on (SSO) authentication at the administrative level through Jamf Account.

Organization administrators are now able to configure their identity provider (IdP) once, in Jamf Account, with the configuration persisting across all Jamf products that implement login via a customer’s chosen IdP. As this IdP configuration is supported by the OpenID Connect (OIDC) protocol, organizations can use any IdP supporting OIDC.

If your organization does not have its own IdP or chooses not to configure it with Jamf Account, the login experience will continue to use either Jamf ID for products supporting this login method, or a specific application’s legacy authentication method.

Let’s take a look at how you can set up Admin SSO in Jamf Account.

Note: At least one administrator must have a valid Jamf ID login to enable this IdP configuration on behalf of your organization.

SSO configuration steps

Customer identity provider

Each identity provider’s process and associated user interface (UI) will be different for setting up an integration with an external application, such as Jamf Account. The following are the basic steps which should apply across IdPs.

1. Log in to the identity provider.

2. Select a new integration or registration and give it a name.

3. Select the redirect URLs and associated regions (US, EU, AU, JP).

4. Assign users or groups who are allowed to log in to the application

5. Take note of the following details, as they are required to configure the IdP with Jamf:

  • URL: The issuer url
  • Application client ID and secret: Details to log in the user and verify the OIDC request.

Single sign-on section in Jamf Account

In order to manage IdP connections, navigate to the tab under “Organization” labeled “SSO” within Jamf Account.

This Jamf Account example shows what an organization that has already completed the configuration would look like.

Domain verification

The first step to configure an identity connection in Jamf Account is verification of your organization’s ownership of the email domain to be used for login.

1. To start, click the “Domains” button to open a screen displaying your existing domains and the option to “+ add a Domain.”

2. Click on “+ add a Domain” to navigate to the form for entry of your domain name:

3. After entering the domain name, click “Save.” A confirmation message will be displayed and a unique DNS text record generated:

4. You will need to add this DNS text record to your domain registrar. Click on “Copy”, and follow the instructions to add it to your domain registrar.

5. On this page, as well as in the full list of domains, click 'Verify' so that this domain is ready to be used.

IdP connection

After verifying the email domain, admins need to configure the OIDC connection.

1. On the main “SSO” tab, click the “+New Connection” button to open a new page.

2. Fill out the required details in the form, including verified domain, “Issuer URL” and “Client ID and Secret” that was configured directly in the SSO provider.

3. Next, choose which Jamf applications use this connection:

  • As Jamf products add IdP support, they will be added to this list. Admins are now able to manage their authentication methods at this level of granularity!

4. Copy the callback URL to add to your own IdP.

5. Click “Save.” Jamf saves the IdP configuration and verifies all of the contacts on the account.

  • If any team member emails using anything other then the verified email domain and has a Jamf ID, the user is shown a list of these emails in a warning modal.

6. The connection is now ready to use, allowing organizational users to log in via SSO for all enabled applications.

To see this configuration process for Okta specifically, check out this Jamf Short training video.

Troubleshooting and support notes

  • It may take a few minutes or even hours for the DNS record to be propagated.
  • Login to Jamf with this IdP connection will only be allowed at the specified domain. If users are configured in your IdP with a different email address domain, they are not able to use this connection until that domain is also verified.
  • Questions? Reach out to success@jamf.com

Watch the Jamf Short Training Video to see this process in action.

Photo of Christie Vick
Christie Vick
Product Manager
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.