Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Configuring Single Sign-On with G Suite

Overview

This article explains how to configure Single Sign-On (SSO) in Jamf Pro with G Suite as your SAML 2.0 Identity Provider. When this is enabled, users logging into Jamf Pro are redirected to the Google sign-in page by default. After successful authentication, they are redirected to the Jamf Pro Dashboard.

Versions Affected

Jamf Pro 9.93 or later

Requirements

  • Jamf Pro user accounts or groups with matching Google usernames or groups
  • User with administrative access to G Suite
  • User with the Single Sign-On Update privilege in Jamf Pro

Procedure

Enabling Single Sign-On with Google authentication requires configuring your G Suite account and Jamf Pro simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.

The procedure involves the following steps:

  1. Configure Single Sign-On in G Suite
  2. Configure Single Sign-On in Jamf Pro
  3. Test the Single Sign-On configuration

Step 1: Configure Single Sign-On in G Suite

  1. Sign in to G Suite using your administrator account.
  2. Navigate to the Admin console Home page and go to Apps > SAML apps.
  3. Click the plus (+) icon in the bottom corner.
  4. Click Set up my own custom app.
  5. In the Google IdP Information settings, download the IDP metadata file in Option 2 and click NEXT.

  6. In the Basic Application Information window, add “Jamf Pro” as your application name. a. (Optional) Add an application description. b. (Optional) Click Choose file next to the Upload Logo field to upload an icon.

  7. Click NEXT.
  8. Configure the Service Provider Details window like the following: a. ASC URL should match the following format: "https://myjss.jamfcloud.com/saml/SSO" b. Entity ID should match the following format: “https://jmyss.jamfcloud.com/saml/metadata" c. For Start URL, specify where Google should redirect users after successful authentication (i.e., https://myjss.jamfcloud.com). d. Select the Signed Response checkbox. e. For Name ID, select “Basic Information” and “Primary Email”. f. For Name ID Format, select “EMAIL”.
  9. Click NEXT.
  10. (Optional) If you will be mapping users by groups in Jamf Pro, in the Application Attribute field enter: “http://schemas.xmlsoap.org/claims/Group”
  11. Click FINISH.
  12. To enable SSO for the SAML app, navigate to the G Suite Admin console Home page. a. Go to Apps > SAML Apps. b. Select the Jamf Pro SAML app. c. At the top right of the SAML app, click More and select:
    • On for everyone to enable SSO for all users
    • Off for everyone to disable SSO for all users
    • On for some organizations to enable SSO only for some users

Note: It is possible to change the name of the SAML attribute used by the Jamf Pro server to retrieve group information (Group Mapping). If you will be mapping users by groups, in the Application Attribute field enter: "http://schemas.xmlsoap.org/claims/Group"

Step 2: Configure Single Sign-On in Jamf Pro

Configure and enable SSO in Jamf Pro.

  1. In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
  2. Click Edit and configure Single Sign-On to enable SSO for the Jamf Pro server. a. Select the Jamf Pro Server checkbox. b. Configure SSO resources.
    1. Do not select the Allow bypass for all users checkbox.
    2. Select the Self Service for macOS checkbox.
    3. Select the User-Initiated Enrollment checkbox.
  3. For User Mapping: SAML, select "NameID".
  4. For User Mapping: Jamf Pro, select "Email". You are only able to use "Username" if it matches email, firstname or lastname.
  5. For Identity Provider, select "Google".
  6. Configure the Identity Provider Metadata Source. a. For Identity Provider Metadata Source, select "Metadata File". b. Click Upload File. c. Click Choose File to upload the Google metadata file downloaded in Step 1.
  7. Entity ID should match the following format: "https://myjss.jamfcloud.com/saml/metadata"
  8. Generate or upload signing certificate. For more information, see Single Sign-On in the Jamf Pro Administrator's Guide.
  9. (Optional) Select the Disable SAML token expiration checkbox.
  10. Click Save.

Step 4: Test the Single Sign-On configuration

Ensure Single Sign-On is set up correctly.

  1. Sign out of G Suite.
  2. Log out of Jamf Pro.
  3. In a web browser, navigate to your single sign-on URL for Jamf Pro.
  4. You should be redirected to the Google sign in page. Log in.
    • If the test is successful, you will be logged in to Jamf Pro.
    • If the test failed, use your additional login URL, found in your Single Sign-On settings in Jamf Pro, to log in to the Jamf Pro server. The URL should match the following format: "https://myjss.jamfcloud?failover"

Additional Information

Like Comment
Order by:
SOLVED Posted: by gregleeper

So, what would the additional URL be to log in to the JSS?

Like
SOLVED Posted: by kasia.kolodziej

The additional login URL can be found in your Single Sign-On settings in the JSS.

Like
SOLVED Posted: by nbbosa

If you add "?failover" (no quotes) at the end of the URL, you should be able to bypass the SSO and log in to either edit or disable with an account with privileges to do so.

That would be the additional URL be to log in to the JSS.

Like
SOLVED Posted: by crchien

In Step 2.b, the User Mapping needs to be "Email" (not the default "username")

It appears that in Step 2, after Step 2.e, under Certificate Information, you must generate a certificate.

It also appears that it matters in Step 3, the Attribute Name should be "Email" (not "Email Address").

Like
SOLVED Posted: by egjerde

These instructions no longer match up to the G Suite configuration pages - they are very different. Please review and update this documentation!

Like
SOLVED Posted: by bizzaredm

Can someone see if this can be updated? it seems not to match like @egjerde said

Like
SOLVED Posted: by dmarcnw

This really is out of date. Very confusing for OneLogin as well.

Like
SOLVED Posted: by tobiaslinder

So do I actually have to create each user that has to log in or can I also just create groups and add privileges to them that mach the name of the google groups?

Like
SOLVED Posted: by adria.prado

Still can't make it work, the users need to exist already in jamf to be able to authenticate via google ?

Like
SOLVED Posted: by mcarasso

For allowing users to do user initiated enrollment are we able to give access to a specific group?

Like
SOLVED Posted: by Matt

Can this be updated please with some information? First, the correct configuration being added and secondly how to actually use the SSO sign on. Do we need to create the users in the JSS Can we use groups in Google to leverage it like a Directory? I have this all set up and I am getting errors and I followed it to the letter.

Like
SOLVED Posted: by bcrockett

1+ for a use documented use case.

I would like to use my google apps accounts as an LDAP for my Mac Computers. My hope is that the JSS can do the legwork on this one.

Like