Configuring Single Sign-On with Okta
This article explains how to configure Single Sign-On (SSO) in Jamf Pro with Okta as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into Jamf Pro are redirected to the Okta login page. After successful authentication, they are redirected to the Jamf Pro Dashboard.
The SSO configuration procedure provided in this article was tested with Okta version 2018.40.
Note: Some setting names were changed in Jamf Pro 10.13.0. If you are using an earlier version of Jamf Pro, the setting names will not match the updated names in this article. For a list of name changes, see the 10.13.0 version of the Jamf Pro Release Notes.
Jamf Pro 9.97 or later
- Jamf Pro user accounts or groups that have matching users or groups in Okta
- User with administrative access to Okta
- User with Single Sign-On (SSO) privileges in Jamf Pro
Single Sign-On with Okta requires configuring your Okta account and Jamf Pro simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
- Create an application for the Jamf Pro server in Okta.
- Copy Metadata from Okta.
- Configure Single Sign-On in Jamf Pro.
- (Optional) Enable Single Logout.
- Test the Okta Single Sign-On configuration.
Step 1: Create an Application for the Jamf Pro Server in Okta
There are two methods in Okta for adding an application for the Jamf Pro server. You can use the pre-configured SAML 2.0 application or manually setup a SAML 2.0 application. You may want to manually setup a SAML 2.0 application to have Single Logout (SLO) enabled.
Using the Pre-Configured Application
- Log in to Okta as a user with administrator privileges and navigate to Admin > Applications.
- Click Add Application.
- Search for the JAMF Software Server (JSS) application and click Add.
- In the General Settings section, enter your Jamf Pro domain (e.g., “https://instancename.jamfcloud.com”).
- Click Done.
- Use the Assignment section to assign users or groups to the Jamf Pro application. It is recommended to first create a test user and verify the configuration, before assigning to target users or groups.
- (Optional) Depending on your environment, use the General, Sign On, Import, and Assignment sections to configure additional SSO options.
Manually Adding a SAML 2.0 Application
- Log in to Okta as a user with administrator privileges and navigate to Admin > Applications > Add Application > Create New App.
- Select “SAML 2.0” and click Create.
- In the General Settings section, enter the application name and click Next.
- Configure General SAML settings:
a. Single Sign-On URL should match the following format: "https://instancename.jamfcloud.com/saml/SSO".
b. Audience URI (SP Entity ID) should match the Entity ID field in Jamf Pro (e.g., "https://instancename.jamfcloud.com/saml/SSO").
c. Application username should match the User Mapping: Jamf Pro field. If Jamf Pro matches users by username, select “Okta username prefix”. Use the default setting “Okta username” to match users by email.
- Configure Advanced Settings. It is recommended that you set the Signature Algorithm to "RSA-SHA256".
- Configure the Group Attribute Statement. Note that it is possible to change the name of the SAML attribute to be used by Jamf Pro when retrieving group information (Group Mapping).
a. For the Name field enter: "http://schemas.xmlsoap.org/claims/Group".
b. The Filter setting will send a list of all groups where a particular user is a member; this can be narrowed if needed (e.g. send only groups prefixed with 'JSS').
- Click Next and finish configuring the application.
Step 2: Copy Metadata from Okta
Copy the metadata file or URL from your Identity Provider.
- In Okta, navigate to the created application for the Jamf Pro server.
- Go to the Sign On settings tab.
a. To obtain the metadata by URL, right-click on the Identity Provider metadata link and select “Copy link address”.
b. To obtain the metadata file, click on the Identity Provider metadata link, copy and save as a metadata.xml file.
Step 3: Configure Single Sign-On in Jamf Pro
Configure and enable SSO in Jamf Pro.
- In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
- Click Edit.
- Select the Enable Single Sign-On Authentication checkbox.
- For Identity Provider User Mapping, either choose "NameID" or specify a custom attribute. If using a custom attribute, the SAML assertion sent by Okta must contain the NameID attribute (any value), in addition to the custom attribute. This allows Jamf Pro and the Identity Provider to complete the information exchange.
- Jamf Pro User Mapping has to match the Application username from Okta. By default, it is set to “Username”.
- Add the group attribute name.
- (Optional) Add the RDN Key for your LDAP group.
- Select Okta for the Identity Provider.
- For Identity Provider Metadata Source, add the metadata URL or upload the metadata file from Okta.
- Entity ID is pre-populated by default (e.g., "https://instancename.jamfcloud.com/saml/SSO") and should match the Specify Audience URI field in Okta.
- Provide a Jamf Pro Signing Certificate. If no certificate is specified, SAML outgoing communication will not work. To fix this, you need to remove the WantAssertionsSigned attribute from <IDPSSODescriptor> element in the Okta metadata before uploading the file to Jamf Pro.
- (Optional) Select the Disable SAML token expiration checkbox.
- Select SSO options for Jamf Pro.
- Save the configuration.
Step 4: (Optional) Enable Single Logout
To enable Single Logout you will need to manually configure a SAML 2.0 application for the Jamf Pro server. Single Logout is important for Jamf Pro administrator users who will not be able to fully log out after performing the enrollment process for other users.
- In Okta, go to to the manually created application for the Jamf Pro server.
- Navigate to General > SAML Settings and click Edit.
- In "Advanced Settings", select the “Allow application to initiate Single Logout” checkbox.
a. For Single Logout URL, use the singlelogout parameter found in the Jamf Pro metadata.
b. For SP Issuer, use the Jamf Pro Entity ID (e.g., “https://instancename.jamfcloud.com/saml/metadata”).
- For Signature Certificate, upload the same certificate that was used in Jamf Pro. You can download it from the Single Sign-On settings pane in Jamf Pro.
- Save the configuration.
Step 5: Test the Okta SSO configuration
Ensure Single Sign-On is set up correctly.
- In Okta, assign a test user to the created application for the Jamf Pro server.
- In Jamf Pro, create a test user with Single Sign-On privileges.
Note: The Jamf Pro test user account should match the test user in Okta.
- Sign out of the Okta administration console.
- Log out of Jamf Pro.
- In a web browser, navigate to your Jamf Pro URL.
- Once redirected to the Okta sign in page, enter your login credentials.
-If the test is successful, you will be logged in to Jamf Pro.
-If the test failed, use your additional login URL to log in to Jamf Pro, and check your configuration. The URL can be found in your Single Sign-On settings in Jamf Pro.