This article explains how to configure Single Sign-On (SSO) in the JAMF Software Server (JSS) with Ping Identity PingOne as your SAML 2.0 Identity Provider. When SSO is enabled, by default users logging into the JSS are redirected to the PingOne login page. After successful authentication, they are directed back to the JSS Dashboard.
The JSS v.9.93 or later
- JSS user accounts or groups that have matching users or groups in PingOne
- User with administrative access to PingOne
- User with Single Sign-On (SSO) privileges in the JSS
Single Sign-On with PingOne requires configuring your Ping Identity PingOne account and the JSS simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
- Create a new application in PingOne
- Configure Single Sign-On in the JSS
- Continue with the PingOne configuration
- (Optional) Add Attribute Mappings in PingOne
- Test the PingOne Single Sign-On configuration
Step 1: Create a new application in PingOne
Set up the PingOne application to provide necessary configuration information for the JSS.
- Log in to PingOne as a user with administrator privileges and navigate to Applications > My Applications.
- Click Add Application and select "New SAML Application".
- Fill in the Application Details section and click Continue to Next Step.
- For the Application Configuration settings, select "I have the SAML configuration".
- Next to SAML Metadata, click "Download" to download the metadata file, or copy the "Download" URL.
- Stay in the current page.
Note: Before continuing with the procedure, you will need to first enable SSO in the JSS and add metadata from PingOne.
Step 2: Configure Single Sign-On in the JSS
Configure and enable SSO in the JAMF Software Server.
- In the JSS, navigate to Settings > System Settings > Single Sign-On.
- Click Edit and configure Single Sign-On to enable SSO for the JSS.
a. Select the JAMF Software Server (JSS) checkbox.
b. For User Mapping: SAML, either choose "NameID" or specify a custom attribute. If using a custom attribute, the SAML assertion sent by the IdP must contain the NameID attribute (any value), in addition to the custom attribute, to complete the information exchange between the JSS and the IdP.
c. User Mapping: JSS by default is set to “Username”.
d. For Identity Provider Metadata Source, upload the PingOne metadata file downloaded in Step 1.
d. Entity ID identifies the instance of your application and should match Entity ID in PingOne.
- Save the configuration.
- (Optional) Click Download JSS Metadata.
Step 3: Continue with the PingOne configuration
- Return to the Application Configuration page in PingOne and configure your SSO settings.
a. For Upload Metadata, use the JSS metadata URL (i.e. "https://jss.example.com/saml/metadata") or upload the XML file downloaded from the JSS.
b. Assertion Consumer Service (ACS) should match the following format: "https://jss.example.com/saml/SSO".
c. Entity ID should match Entity ID in the JSS.
d. Single Logout Endpoint should match the following format: "https://jss.example.com/saml/SingleLogout".
e. Signing Algorithm should be set to "RSA_SHA256".
- Click Continue to Next Step.
- In SSO Attribute Mappings click Add new attribute. Note that it is possible to change the name of the SAML attribute which will be used by the JSS to retrieve group information (Group Mapping).
If mapping users by groups:
a. For Application Attribute, enter "https://schemas.xmlsoap.org/claims/Group".
b. Click Advanced.
c. For NameFormat, use "unspecified".
d. For IDP Attribute Name or Literal Value, select "memberOf"
e. In Function field select "ExtractByRegularExpression".
f. In Expression field use (.*)[\@](?:.*) if you want to filter out part of the GroupName from the "@" directory suffix.
g. Save the Attribute.
If mapping users by NameID:
a. For Application Attribute, select "SAML_SUBJECT".
b. Click Advanced.
c. For NameFormat, select "unspecified".
d. Depending on JSS Single Sign-On settings, add appropriate attributes:
-If the JSS maps users by "Username" in the IDP Attribute Name or Literal Value field select "First Name". If you want to have a space between First and Last Name, add another attribute and in the IDP Attribute Name or Literal Value field enter the space character and select the "As Literal" checkbox. Next, add another attribute and in the IDP Attribute Name or Literal Value field select "Last Name".
-If the JSS maps users by "Email" in the IDP Attribute Name or Literal Value field select "Email".
If mapping users by a custom attribute:
In Application Attribute use the same attribute that was specified in the JSS. You must still configure NameID (SAML_SUBJECT).
- Click Save and Publish.
- Review the setup and click Finish.
Step 5: Test the PingOne SSO configuration
Ensure Single Sign-On is set up correctly.
- Sign out of the PingOne administration console.
- Log out of the JSS.
- In a web browser, navigate to your JSS URL.
- You should be redirected to the PingOne sign in page. Log in.
-If the test is successful, you will be logged in to the JSS.
-If the test failed, use your additional login URL to log in to the JSS. The URL can be found in your Single Sign-On settings in the JSS.