Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Configuring Single Sign-On with OneLogin

Overview

This article explains how to configure Single Sign-On (SSO) in Jamf Pro with OneLogin as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into Jamf Pro are redirected to the OneLogin login page. After successful authentication, they are redirected to the Jamf Pro Dashboard.

Versions Affected

Jamf Pro 9.97 or later

Requirements

  • Jamf Pro user accounts or groups that have matching users or groups in OneLogin
  • User with administrative access to OneLogin
  • User with Single Sign-On (SSO) privileges in Jamf Pro

Procedure

Single Sign-On with OneLogin requires configuring your OneLogin account and Jamf Pro simultaneously. It is important to note that the configuration is unique to each environment and additional steps may be necessary.

The procedure involves the following steps:

  1. Configure a new application for Jamf Pro in OneLogin
  2. Save Metadata file or URL from OneLogin
  3. Configure Single Sign-On in Jamf Pro
  4. Test the OneLogin Single Sign-On configuration

Step 1: Configure a new application for Jamf Pro in OneLogin

To add a new application in OneLogin for Jamf Pro, follow the instructions depending on your Jamf Pro server environment.

Jamf Cloud-Hosted Environment

  1. Log in to OneLogin as a user with administrator privileges and navigate to Apps > Add Apps.
  2. Search for "Jamf Cloud" and select the application.
  3. In the Configuration pane, enter a display name for the application, and click Save.
  4. Click the Configuration tab to configure application settings.
  5. In the RelayState field, enter where users should get redirected after a successful login.
  6. In the Subdomain field, enter your Jamf Cloud subdomain (e.g., "https://{subdomain}.jamfcloud.com"; in the sample URL, only {subdomain} is your subdomain).
  7. Click Save.
  8. Navigate to the Parameters tab to map Jamf Pro attributes to OneLogin attributes.
  9. For the Groups parameter, use the default settings and ensure the Include in SAML assertion checkbox is selected.
  10. Ensure the NameID parameter matches your Jamf Pro settings. It is used to map access rights in Jamf Pro. -If you are mapping users in Jamf Pro by "Email", use the default Email value. -If you are mapping users in Jamf Pro by "Username", select the Username value from the pop-up menu.
  11. Save the configuration.
  12. Use the Rules, SSO, Access, Users, and Privileges tabs to specify your settings for the Jamf Pro application. Note: Ensure you assign users or groups to the Jamf Cloud application.
  13. Save the configuration.

On-Premise Environment


  1. Log in to OneLogin as a user with administrator privileges and navigate to Apps > Add Apps.

  2. Search for "SAML" and select “SAML Test Connector (IdP) w/ NameID (Unspec)".

  3. In the Configuration pane, enter a display name for the application, and click Save.

  4. Navigate to the Configuration tab to configure application settings.
    -RelayState defines where users get redirected after a successful login (e.g., ""https://jamfpro.example.com")
    -Audience should match the Entity ID field in Jamf Pro (e.g., "https://jamfpro.example.com/saml/metadata").
    -Recipient should match the following format: "https://jamfpro.example.com/saml/SSO". -ASC (Consumer) URL Validator is the same as Recipient but with escaped HTML characters. Use the following format:
    starts with ^
    ends with $
    every dot ( . ) and slash ( / ) must be prepended with a backslash ( \ )
    e.g., ^https:\/\/jamfpro\.example\.com\/saml\/SSO$


    -ASC (Consumer) URL should match the following format: "https://jamfpro.example.com/saml/SSO". -(Optional) If using Single Logout, the Single Logout URL should match the following format: "https://jamfpro.example.com/saml/SingleLogout".

  5. Click the Parameters tab.

  6. Edit the NameID (fka Email) parameter. It is used to map access rights in Jamf Pro.
    -If you are mapping users in Jamf Pro by "Email", use the default Email value.
    -If you are mapping users in Jamf Pro by "Username", select the Username value.
    For more information about macros for parameters, see the following OneLogin documentation.

  7. Add a new parameter for Groups. Note that it is possible to change the name of the SAML attribute which will be used by Jamf Pro to retrieve group information (Group Mapping).
    -In the Name field, enter "http://schemas.xmlsoap.org/claims/Group".
    -Select the Include in SAML assertion checkbox. -In the Value field, select "MemberOf".

  8. Save the configuration.

  9. Use the Rules, SSO, Access, Users, and Privileges tabs to specify your settings for the Jamf Pro application.
    Note: Ensure you assign users or groups to the newly created application for Jamf Pro.

  10. Save the configuration.

Step 2: Save Metadata file or URL from OneLogin

In OneLogin, navigate to the newly configured application for Jamf Pro.
- To obtain the metadata URL, go to the SSO settings tab and copy the Issuer URL value.
- To obtain the metadata file, click More Actions > SAML Metadata. File download should start automatically.

Step 3: Configure Single Sign-On in Jamf Pro

  1. In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
  2. Click the Edit button.
  3. Select the Jamf Pro Server checkbox.
  4. Select SSO options for your Jamf Pro server. Note: It is recommended that you copy the additional login URL to a secure location before continuing. In case of any configuration issues, you can use this URL to log in to Jamf Pro.
  5. For User Mapping: SAML, choose the "NameID" option. Note: You may also use a custom attribute. If using a custom attribute, the SAML assertion sent by OneLogin must contain the NameID attribute (any value) in addition to the custom attribute. This allows Jamf Pro and the identity provider to complete the information exchange.
  6. User Mapping: Jamf Pro must match the parameter value from OneLogin. By default, it is set to “Username”.
  7. For Group Attribute Name, use the default setting "http://schemas.xmlsoap.org/claims/Group".
  8. (Optional) Add the RDN Key for your LDAP group.
  9. Select "OneLogin" for the Identity Provider from the pop-up menu.
  10. For Identity Provider Metadata Source, add the metadata URL or upload the metadata file from OneLogin.
  11. (Optional) Upload or generate a signing certificate for the Jamf Pro server.
  12. Save the configuration.

Step 4: Test the OneLogin SSO Configuration

  1. In OneLogin, assign a test user to the created app for Jamf Pro.
  2. In Jamf Pro, create a test user with Single Sign-On privileges. Note: The Jamf Pro test user account should match the test user in OneLogin.
  3. Sign out of the OneLogin admin portal.
  4. Sign out of Jamf Pro.
  5. In a web browser, navigate to your Jamf Pro URL.
  6. Once redirected to the OneLogin sign-in page, enter your login credentials.
  7. If the test is successful, you will be logged in to Jamf Pro.
  8. If the test failed, use your additional login URL to log in to Jamf Pro, and check your configuration. The URL can be found in your Single Sign-On settings in Jamf Pro.

Additional Information

For more information on Single Sign-On settings in Jamf Pro, see the Jamf Pro Administrator's Guide.
For more information on Single Sign-On in OneLogin, see the Overview of SAML documentation.

Like Comment
Order by:
SOLVED Posted: by Josh.Templeton

We are running through the directions and we are receiving an error that says:

422 Unprocessable changes. Maybe you tried to change something you don't have access to.

Can you give us some examples of what should be filled in Step 1, Part 4 on RelayState and Audience? For Recipient, is it safe to assume that is the address of our JAMCloud web address?

Thank you!

Like
SOLVED Posted: by dmarcnw

There seems to be some steps missing in this process. I've followed it as best as I can, but I can't get it to work at all. Please update if possible.

Like
SOLVED Posted: by true[robby]

I've also tried on three different occasions. Something's not right. Could we get an update or some screens for comparison?

Like
SOLVED Posted: by kasia.kolodziej

This article has been updated to reflect the current workflow for configuring Single Sign-On with OneLogin in Jamf Pro.

Like