Configuring Single Sign-On with Okta
This article explains how to configure Single Sign-On (SSO) in Jamf Pro with Okta as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into Jamf Pro are redirected to the Okta login page. After successful authentication, they are directed back to the Jamf Pro Dashboard.
The SSO configuration procedure provided in this article was tested with Okta version 2016.19.
The Jamf Pro v.9.93 or later
- Jamf Pro user accounts or groups that have matching users or groups in Okta
- User with administrative access to Okta
- User with Single Sign-On (SSO) privileges in Jamf Pro
Single Sign-On with Okta requires configuring your Okta account and Jamf Pro simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
- Copy Metadata from Okta
- Configure Single Sign-On in Jamf Pro
- (Optional) Enable Single Logout
- Test the Okta Single Sign-On configuration
Step 1: Copy Metadata from Okta
Copy the metadata file or URL from your Identity Provider.
- In Okta, navigate to the application for the Jamf Pro.
- Go to the Sign On settings tab.
a. To obtain the metadata by URL, right-click on the Identity Provider metadata link and select “Copy link address”.
b. To obtain the metadata file, click on the Identity Provider metadata link and download the metadata.
Step 2: Configure Single Sign-On in the JSS
Configure and enable SSO in Jamf Pro.
- In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
- Click Edit and configure Single Sign-On to enable SSO for Jamf Pro.
a. Select the Jamf Pro Server checkbox.
b. For User Mapping: SAML, either choose "NameID" or specify a custom attribute.
c. User Mapping: Jamf Pro has to match the Application username from Okta. By default, it is set to “Username”.
d. Entity ID identifies the instance of your application and should match Specify Audience URI field in Okta.
e. Provide a Jamf Pro Signing Certificate. If no certificate is specified, SAML outgoing communication will not work. To fix this, you need to remove the WantAssertionsSigned attribute from <IDPSSODescriptor> element in the Okta metadata before uploading the file to Jamf Pro.
f. (Optional) Select the Disable SAML token expiration checkbox.
- Save the configuration.
Step 3: (Optional) Enable Single Logout
Configure Okta and upload a certificate from Jamf Pro to enable Single Logout (SLO). This is especially important for Jamf Pro administrator users who won't be able to fully log out after performing the enrollment process for other users.
- In Okta, go to to the application for Jamf Pro.
- Navigate to General > SAML Settings and click Edit.
- For "Advanced Settings", select the “Allow application to initiate Single Logout” checkbox.
a. For Single Logout URL, use the singlelogout parameter found in the Jamf Pro metadata (i.e., “https://jamfpro.example.com/saml/SingleLogout”).
b. For SP Issuer, use the Jamf Pro Entity ID (i.e., “https://jss.example.com/saml/metadata”).
- For Signature Certificate, upload the same certificate that was used in Jamf Pro. You can download it from the Single Sign-On settings pane in Jamf Pro.
- Save the configuration.
Step 4: Test the Okta SSO configuration
Ensure Single Sign-On is set up correctly.
- Sign out of the Okta administration console.
- Log out of Jamf Pro.
- In a web browser, navigate to your Jamf Pro URL.
- You should be redirected to the Okta sign in page. Log in.
-If the test is successful, you will be logged in to Jamf Pro.
-If the test failed, use your additional login URL to log in to Jamf Pro. The URL can be found in your Single Sign-On settings in Jamf Pro.