Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Configuring Single Sign-On with Okta

Overview

This article explains how to configure Single Sign-On (SSO) in Jamf Pro with Okta as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into Jamf Pro are redirected to the Okta login page. After successful authentication, they are directed back to the Jamf Pro Dashboard.

The SSO configuration procedure provided in this article was tested with Okta version 2016.19.

Versions Affected

The Jamf Pro v.9.93 or later

Requirements

  • Jamf Pro user accounts or groups that have matching users or groups in Okta
  • User with administrative access to Okta
  • User with Single Sign-On (SSO) privileges in Jamf Pro

Procedure

Single Sign-On with Okta requires configuring your Okta account and Jamf Pro simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.

The procedure involves the following steps:

  1. Copy Metadata from Okta
  2. Configure Single Sign-On in Jamf Pro
  3. (Optional) Enable Single Logout
  4. Test the Okta Single Sign-On configuration

Step 1: Copy Metadata from Okta

Copy the metadata file or URL from your Identity Provider.

  1. In Okta, navigate to the application for the Jamf Pro.
  2. Go to the Sign On settings tab. a. To obtain the metadata by URL, right-click on the Identity Provider metadata link and select “Copy link address”. b. To obtain the metadata file, click on the Identity Provider metadata link and download the metadata.

Step 2: Configure Single Sign-On in the JSS

Configure and enable SSO in Jamf Pro.

  1. In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
  2. Click Edit and configure Single Sign-On to enable SSO for Jamf Pro. a. Select the Jamf Pro Server checkbox. b. For User Mapping: SAML, either choose "NameID" or specify a custom attribute. c. User Mapping: Jamf Pro has to match the Application username from Okta. By default, it is set to “Username”. d. Entity ID identifies the instance of your application and should match Specify Audience URI field in Okta. e. Provide a Jamf Pro Signing Certificate. If no certificate is specified, SAML outgoing communication will not work. To fix this, you need to remove the WantAssertionsSigned attribute from <IDPSSODescriptor> element in the Okta metadata before uploading the file to Jamf Pro. f. (Optional) Select the Disable SAML token expiration checkbox.
  3. Save the configuration.

Step 3: (Optional) Enable Single Logout

Configure Okta and upload a certificate from Jamf Pro to enable Single Logout (SLO). This is especially important for Jamf Pro administrator users who won't be able to fully log out after performing the enrollment process for other users.

  1. In Okta, go to to the application for Jamf Pro.
  2. Navigate to General > SAML Settings and click Edit.
  3. For "Advanced Settings", select the “Allow application to initiate Single Logout” checkbox. a. For Single Logout URL, use the singlelogout parameter found in the Jamf Pro metadata (i.e., “https://jamfpro.example.com/saml/SingleLogout”). b. For SP Issuer, use the Jamf Pro Entity ID (i.e., “https://jss.example.com/saml/metadata”).
  4. For Signature Certificate, upload the same certificate that was used in Jamf Pro. You can download it from the Single Sign-On settings pane in Jamf Pro.
  5. Save the configuration.

Step 4: Test the Okta SSO configuration

Ensure Single Sign-On is set up correctly.

  1. Sign out of the Okta administration console.
  2. Log out of Jamf Pro.
  3. In a web browser, navigate to your Jamf Pro URL.
  4. You should be redirected to the Okta sign in page. Log in. -If the test is successful, you will be logged in to Jamf Pro. -If the test failed, use your additional login URL to log in to Jamf Pro. The URL can be found in your Single Sign-On settings in Jamf Pro.

Additional Information

Like Comment
Order by:
SOLVED Posted: by mkremic

So i've managed to set up OKTA with our JSS and can successfully get our admins signing in through OKTA when SSO is turned on in the JSS. We'd also like our end users to sign into Self Service using SSO.

The only way i've managed to get this working is by adding a LDAP group that contains all of our end users into "JSS User Accounts & Groups" (with no permissions), as when the SSO is performed the JSS is looking at the group names passed from OKTA and comparing to what is in "JSS User Accounts & Groups" for matches.

This works, however it also gives all our end users the ability to log into an empty JSS i.e. https://jss.mycompany.com:8443 , which is less than ideal.

Is there any other way to allow end users to log into Self Service via SSO (whether it be OKTA or another provider) without opening up the ability to log into the JSS? Currently with LDAP authentication they can only log into Self Service.

Appreciate any thoughts/input! :)

Like
SOLVED Posted: by gett-steve

Can this article be updated with details on how to configure using the current Apps pre-made in Okta?

Like
SOLVED Posted: by nathan.anderson

Hello, please note that if you are having group-based login issues with Okta, this article needs updating to reflect that the Group Attribute Statement should be:

http://schemas.xmlsoap.org/claims/Group

  • Note the "s" at the end of "claim" which is needed for this to work - we'll get the article updated asap. Thank you!
Like
SOLVED Posted: by mkremic

Hey @nathan.anderson correct me if i'm wrong but as the original article lists the name can be changed

"Note that it is possible to change the name of the SAML attribute which will be used by the JSS to retrieve group information (Group Mapping)."

As long as they match on both OKTA and the JSS it shouldn't matter what it's called right?

Also, any update on whether you can integrate Self Service into OKTA without allowing your end users the ability to log into the JSS. Would love to turn SAML authentication on but this is really holding me back.

Like
SOLVED Posted: by Daikonran

Not sure if its the latest JSS release or OTKA, But I cannot get this to work on our JSS. Given that the instructions above are out of date, I put this together as best as possible using OKTA documentation and this JSS documentation, but when I try to log into the JSS via OKTA, it just times out every time. No special set up on our JSS with certificates that should make this more complicated than usual.

Anyone else seen similar issues?

Like
SOLVED Posted: by dmac87

Having the same issue as @besteves . Would love to know the fix...

Like
SOLVED Posted: by Daikonran

So we managed to fix this on our end. It turns out that the tab in OKTA is only for JAMF cloud and doesn't work with your local JSS, at least this is what I think.

Creating the tile from scratch using the above instructions, and then allowing traffic from OKTA / Outside into our network on port 8443, got it to work. If you are also having the time out issues, may be firewall related like ours was.

Like
SOLVED Posted: by andre.sanchez

I've been trying to implement this for our on-premise JSS (we only use Okta as a directory service - no AD, no LDAP) and seem to have the authentication working, but I am not being redirected back to the dashboard when logging in. Instead I get the following message:

Anyone experienced this before?

Like
SOLVED Posted: by mjmurillo

FYI - This is not possibly with split JSS as of version 9.99. https://www.jamf.com/jamf-nation/feature-requests/5414/please-allow-sso-to-work-with-a-split-jss

Like
SOLVED Posted: by m3ir

Thanks for this article .
ldap integration without need adding them into JSSUsers would be much appreciated .

Like