Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Configuring Single Sign-On with Okta


This article explains how to configure Single Sign-On (SSO) in Jamf Pro with Okta as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into Jamf Pro are redirected to the Okta login page. After successful authentication, they are redirected to the Jamf Pro Dashboard.

The SSO configuration procedure provided in this article was tested with Okta version 2018.40.

Note: Some setting names were changed in Jamf Pro 10.13.0. If you are using an earlier version of Jamf Pro, the setting names will not match the updated names in this article. For a list of name changes, see the 10.13.0 version of the Jamf Pro Release Notes.

Versions Affected

Jamf Pro 9.97 or later


  • Jamf Pro user accounts or groups that have matching users or groups in Okta
  • User with administrative access to Okta
  • User with Single Sign-On (SSO) privileges in Jamf Pro


Single Sign-On with Okta requires configuring your Okta account and Jamf Pro simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.

The procedure involves the following steps:

  1. Create an application for the Jamf Pro server in Okta.
  2. Copy Metadata from Okta.
  3. Configure Single Sign-On in Jamf Pro.
  4. (Optional) Enable Single Logout.
  5. Test the Okta Single Sign-On configuration.

Step 1: Create an Application for the Jamf Pro Server in Okta

There are two methods in Okta for adding an application for the Jamf Pro server. You can use the pre-configured SAML 2.0 application or manually setup a SAML 2.0 application. You may want to manually setup a SAML 2.0 application to have Single Logout (SLO) enabled.

Using the Pre-Configured Application

  1. Log in to Okta as a user with administrator privileges and navigate to Admin > Applications.
  2. Click Add Application.
  3. Search for the JAMF Software Server (JSS) application and click Add.
  4. In the General Settings section, enter your Jamf Pro domain (e.g., “”).
  5. Click Done.
  6. Use the Assignment section to assign users or groups to the Jamf Pro application. It is recommended to first create a test user and verify the configuration, before assigning to target users or groups.
  7. (Optional) Depending on your environment, use the General, Sign On, Import, and Assignment sections to configure additional SSO options.

Manually Adding a SAML 2.0 Application

  1. Log in to Okta as a user with administrator privileges and navigate to Admin > Applications > Add Application > Create New App.
  2. Select “SAML 2.0” and click Create.
  3. In the General Settings section, enter the application name and click Next.
  4. Configure General SAML settings: a. Single Sign-On URL should match the following format: "". b. Audience URI (SP Entity ID) should match the Entity ID field in Jamf Pro (e.g., ""). c. Application username should match the User Mapping: Jamf Pro field. If Jamf Pro matches users by username, select “Okta username prefix”. Use the default setting “Okta username” to match users by email.
  5. Configure Advanced Settings. It is recommended that you set the Signature Algorithm to "RSA-SHA256".
  6. Configure the Group Attribute Statement. Note that it is possible to change the name of the SAML attribute to be used by Jamf Pro when retrieving group information (Group Mapping). a. For the Name field enter: "". b. The Filter setting will send a list of all groups where a particular user is a member; this can be narrowed if needed (e.g. send only groups prefixed with 'JSS').
  7. Click Next and finish configuring the application.

Step 2: Copy Metadata from Okta

Copy the metadata file or URL from your Identity Provider.

  1. In Okta, navigate to the created application for the Jamf Pro server.
  2. Go to the Sign On settings tab. a. To obtain the metadata by URL, right-click on the Identity Provider metadata link and select “Copy link address”. b. To obtain the metadata file, click on the Identity Provider metadata link, copy and save as a metadata.xml file.

Step 3: Configure Single Sign-On in Jamf Pro

Configure and enable SSO in Jamf Pro.

  1. In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
  2. Click Edit.
  3. Select the Enable Single Sign-On Authentication checkbox.
  4. For Identity Provider User Mapping, either choose "NameID" or specify a custom attribute. If using a custom attribute, the SAML assertion sent by Okta must contain the NameID attribute (any value), in addition to the custom attribute. This allows Jamf Pro and the Identity Provider to complete the information exchange.
  5. Jamf Pro User Mapping has to match the Application username from Okta. By default, it is set to “Username”.
  6. Add the group attribute name.
  7. (Optional) Add the RDN Key for your LDAP group.
  8. Select Okta for the Identity Provider.
  9. For Identity Provider Metadata Source, add the metadata URL or upload the metadata file from Okta.
  10. Entity ID is pre-populated by default (e.g., "") and should match the Specify Audience URI field in Okta.
  11. Provide a Jamf Pro Signing Certificate. If no certificate is specified, SAML outgoing communication will not work. To fix this, you need to remove the WantAssertionsSigned attribute from <IDPSSODescriptor> element in the Okta metadata before uploading the file to Jamf Pro.
  12. (Optional) Select the Disable SAML token expiration checkbox.
  13. Select SSO options for Jamf Pro.
  14. Save the configuration.

Step 4: (Optional) Enable Single Logout

To enable Single Logout you will need to manually configure a SAML 2.0 application for the Jamf Pro server. Single Logout is important for Jamf Pro administrator users who will not be able to fully log out after performing the enrollment process for other users.

  1. In Okta, go to to the manually created application for the Jamf Pro server.
  2. Navigate to General > SAML Settings and click Edit.
  3. In "Advanced Settings", select the “Allow application to initiate Single Logout” checkbox. a. For Single Logout URL, use the singlelogout parameter found in the Jamf Pro metadata. (e.g., “”) b. For SP Issuer, use the Jamf Pro Entity ID (e.g., “”).
  4. For Signature Certificate, upload the same certificate that was used in Jamf Pro. You can download it from the Single Sign-On settings pane in Jamf Pro.
  5. Save the configuration.

Step 5: Test the Okta SSO configuration

Ensure Single Sign-On is set up correctly.

  1. In Okta, assign a test user to the created application for the Jamf Pro server.
  2. In Jamf Pro, create a test user with Single Sign-On privileges. Note: The Jamf Pro test user account should match the test user in Okta.
  3. Sign out of the Okta administration console.
  4. Log out of Jamf Pro.
  5. In a web browser, navigate to your Jamf Pro URL.
  6. Once redirected to the Okta sign in page, enter your login credentials. -If the test is successful, you will be logged in to Jamf Pro. -If the test failed, use your additional login URL to log in to Jamf Pro, and check your configuration. The URL can be found in your Single Sign-On settings in Jamf Pro.

Additional Information

Like Comment
Order by:
SOLVED Posted: by mkremic

So i've managed to set up OKTA with our JSS and can successfully get our admins signing in through OKTA when SSO is turned on in the JSS. We'd also like our end users to sign into Self Service using SSO.

The only way i've managed to get this working is by adding a LDAP group that contains all of our end users into "JSS User Accounts & Groups" (with no permissions), as when the SSO is performed the JSS is looking at the group names passed from OKTA and comparing to what is in "JSS User Accounts & Groups" for matches.

This works, however it also gives all our end users the ability to log into an empty JSS i.e. , which is less than ideal.

Is there any other way to allow end users to log into Self Service via SSO (whether it be OKTA or another provider) without opening up the ability to log into the JSS? Currently with LDAP authentication they can only log into Self Service.

Appreciate any thoughts/input! :)

SOLVED Posted: by gett-steve

Can this article be updated with details on how to configure using the current Apps pre-made in Okta?

SOLVED Posted: by nathan.anderson

Hello, please note that if you are having group-based login issues with Okta, this article needs updating to reflect that the Group Attribute Statement should be:

  • Note the "s" at the end of "claim" which is needed for this to work - we'll get the article updated asap. Thank you!
SOLVED Posted: by mkremic

Hey @nathan.anderson correct me if i'm wrong but as the original article lists the name can be changed

"Note that it is possible to change the name of the SAML attribute which will be used by the JSS to retrieve group information (Group Mapping)."

As long as they match on both OKTA and the JSS it shouldn't matter what it's called right?

Also, any update on whether you can integrate Self Service into OKTA without allowing your end users the ability to log into the JSS. Would love to turn SAML authentication on but this is really holding me back.

SOLVED Posted: by Daikonran

Not sure if its the latest JSS release or OTKA, But I cannot get this to work on our JSS. Given that the instructions above are out of date, I put this together as best as possible using OKTA documentation and this JSS documentation, but when I try to log into the JSS via OKTA, it just times out every time. No special set up on our JSS with certificates that should make this more complicated than usual.

Anyone else seen similar issues?

SOLVED Posted: by dmac87

Having the same issue as @besteves . Would love to know the fix...

SOLVED Posted: by Daikonran

So we managed to fix this on our end. It turns out that the tab in OKTA is only for JAMF cloud and doesn't work with your local JSS, at least this is what I think.

Creating the tile from scratch using the above instructions, and then allowing traffic from OKTA / Outside into our network on port 8443, got it to work. If you are also having the time out issues, may be firewall related like ours was.

SOLVED Posted: by andre.sanchez

I've been trying to implement this for our on-premise JSS (we only use Okta as a directory service - no AD, no LDAP) and seem to have the authentication working, but I am not being redirected back to the dashboard when logging in. Instead I get the following message:

Anyone experienced this before?

SOLVED Posted: by mjmurillo

FYI - This is not possibly with split JSS as of version 9.99.

SOLVED Posted: by m3ir

Thanks for this article .
ldap integration without need adding them into JSSUsers would be much appreciated .

SOLVED Posted: by boshea

I have SSO with OKTA login working for admins. Currently I add the admin to an LDAP group which adds the OKTA app to their OKTA profile. I then have to manually create the corresponding Jamf admin account in Jamf cloud with a random password. Is there a way to configure OKTA so that it auto creates the corresponding Jamf admin account in the Jamf Cloud instance so that moving forward, simply adding someone to the LDAP group will guarantee access to the Jamf Cloud Server?