Configuring Single Sign-On with Active Directory Federation Services
This article explains how to configure Single Sign-On (SSO) in the Jamf Software Server (JSS) with Microsoft Active Directory Federation Services (AD FS) as your SAML 2.0 Identity Provider. When SSO is enabled, by default users logging into the JSS are redirected to the AD FS login page. After successful authentication, they are directed back to the JSS Dashboard.
The SSO configuration procedure provided in this article was tested with AD FS 3.0. AD FS 3.0 was deployed on Widows Server 2012 R2.
The JSS v.9.93 or later
- JSS user accounts or groups that have matching users or groups in AD FS
- User with administrative access to AD FS
- User with Single Sign-On (SSO) privileges in the JSS
Single Sign-On with AD FS requires configuring your AD FS server and the JSS simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
- Configure Single Sign-On in the JSS
- Add Relying Party Trust in AD FS
- (Optional) Add JSS built-in root certificate to trusted certificates
- Test the AD FS Single Sign-On configuration
Step 1: Configure Single Sign-On in the JSS
- In the JSS, navigate to Settings > System Settings > Single Sign-On.
- Click Edit and configure Single Sign-On to enable SSO with AD FS.
a. Select the Jamf Software Server (JSS) checkbox.
b. For User Mapping: SAML, either choose "NameID" or specify a custom attribute. When using a custom attribute, the SAML assertion sent by the IdP must contain the NameID attribute (any value), in addition to the custom attribute, to complete the information exchange between the JSS and the IdP.
c. User Mapping: JSS by default is set to “Username”.
d. Entity ID should specify a unique name that identifies the instance of your application in AD FS.
e. For Identity Provider Metadata Source, either upload the metadata in an XML file or specify a HTTP URL to the metadata (i.e., “https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml").
f. Upload or generate a JSS Signing Certificate.
If no certificate is selected, SAML Single Logout will not work. This will cause errors during AD FS initiated logout.
To use certificates generated from the JSS, you need to disable CRL validation in AD FS using PowerShell, as AD FS will not be able to encrypt the SAML token and Event Viewer will show that the revocation server is online:
Set-AdfsRelyingPartyTrust -TargetIdentifier “<entity-id>” -SigningCertificateRevocationCheck ”None” -EncryptionCertificateRevocationCheck “None”
- Save the configuration.
- Click Download JSS Metadata and save the XML file.
Step 2: Add Relying Party Trust in AD FS
- In AD FS, navigate to Open AD FS Management Console (Control Panel > Administrative Tools > AD FS).
- Select "Import data about the relying party published online or on a local network" to provide a SAML metadata URL (i.e., "https://jss.example.com/saml/SSO") or "Import data about the relying party from a file" to upload a metadata XML downloaded from the JSS.
- Click Next. AD FS may inform you that partial metadata content is not supported. This warning can be ignored.
- Continue with the wizard:
a. For Ready to Add Trust, ensure the Endpoints tab contains multiple endpoint values. If the endpoint domain names are set to "localhost", change them to a value visible from the AD FS server, such as your computer name or IP address.
b. Display name should match Entity ID in the JSS.
- Select the Open the Edit Claim Rules dialog checkbox and finish the wizard.
- Select Add Rule, choose "Send LDAP Attributes as Claims" and click Next.
- Add a new claim rule.
a. Name: JSS
b. Attribute store: Active Directory
c. Add the following LDAP Attributes and their outgoing claim types. "Token-Groups - Unqualified Names" outgoing type should be set to "Group".
-If the JSS User Mapping: JSS setting is set to "Username", set "SAM-Account-Name" outgoing type to "Name ID".
-If the JSS User Mapping: JSS setting is set to “Email”, set a parameter that includes the user's email as an outgoing type (e.g., "Principal-User-Name", "E-Mail Address").
Note: If LDAP directory services is configured in the JSS, for "Name ID" use the same LDAP property as used during LDAP configuration. If using a custom user mapping attribute, refer to the AD FS documentation.
Step 3: (Optional) Add JSS built-in root certificate to trusted certificates
This step is only required if the JSS Signing Certificate was generated from the JSS.
- In the JSS, go to Settings > Global Management > PKI and click the Download CA Cert button. Ensure the certificate will be saved with a .crt extension.
- Double-click on the downloaded file and click the Install Certificate button.
- Select the "Local Machine" option to add a certificate for all users and click Next.
- Select the "Place all certificates in the following store" option, click Browse and ensure the certificate will be installed in "Trusted Root Certification Authorities". Click Next.
- Click Finish to close wizard.
Step 4: Test the AD FS Single Sign-On configuration
- Sign out of the AD FS Management Console.
- Sign out of the JSS.
- In a web browser, navigate to your Jamf Software Server URL.
- You should be redirected to the AD FS sign in page. Log in.
-If the test is successful, you will be logged in to the JSS.
-If the test failed, use your additional login URL to log in to the JSS. The URL can be found in your Single Sign-On settings in the JSS.
To set the SSO lifetime value in AD FS:
1. Open the AD FS Management Console.
2. Select Edit Federation Service Properties
3. On the General tab set a "Web SSO lifetime" property.
4. Set SSO lifetime. The value in AD FS should match the Token Expiration field in the JSS. By default, it is set to 480 minutes.