Configuring Single Sign-On with G Suite
This article explains how to configure Single Sign-On (SSO) in Jamf Pro with G Suite as your SAML 2.0 Identity Provider. When this is enabled, users logging into Jamf Pro are redirected to the Google sign-in page by default. After successful authentication, they are redirected to the Jamf Pro Dashboard.
Jamf Pro 9.93 or later
- Jamf Pro user accounts or groups with matching Google usernames or groups
- User with administrative access to G Suite
- User with the Single Sign-On Update privilege in Jamf Pro
Enabling Single Sign-On with Google authentication requires configuring your G Suite account and Jamf Pro simultaneously. It is important to note that each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
- Configure Single Sign-On in G Suite
- Configure Single Sign-On in Jamf Pro
- Test the Single Sign-On configuration
Step 1: Configure Single Sign-On in G Suite
- Sign in to G Suite using your administrator account.
- Navigate to the Admin console Home page and go to Apps > SAML apps.
- Click the plus (+) icon in the bottom corner.
- Click Set up my own custom app.
In the Google IdP Information settings, download the IDP metadata file in Option 2 and click NEXT.
In the Basic Application Information window, add “Jamf Pro” as your application name.
a. (Optional) Add an application description.
b. (Optional) Click Choose file next to the Upload Logo field to upload an icon.
- Click NEXT.
- Configure the Service Provider Details window like the following:
a. ASC URL should match the following format: "https://myjss.jamfcloud.com/saml/SSO"
b. Entity ID should match the following format: “https://jmyss.jamfcloud.com/saml/metadata"
c. For Start URL, specify where Google should redirect users after successful authentication (i.e., https://myjss.jamfcloud.com).
d. Select the Signed Response checkbox.
e. For Name ID, select “Basic Information” and “Primary Email”.
f. For Name ID Format, select “EMAIL”.
- Click NEXT.
- (Optional) If you will be mapping users by groups in Jamf Pro, in the Application Attribute field enter: “http://schemas.xmlsoap.org/claims/Group”
- Click FINISH.
- To enable SSO for the SAML app, navigate to the G Suite Admin console Home page.
a. Go to Apps > SAML Apps.
b. Select the Jamf Pro SAML app.
c. At the top right of the SAML app, click More and select:
- On for everyone to enable SSO for all users
- Off for everyone to disable SSO for all users
- On for some organizations to enable SSO only for some users
Note: It is possible to change the name of the SAML attribute used by the Jamf Pro server to retrieve group information (Group Mapping). If you will be mapping users by groups, in the Application Attribute field enter: "http://schemas.xmlsoap.org/claims/Group"
Step 2: Configure Single Sign-On in Jamf Pro
Configure and enable SSO in Jamf Pro.
- In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
- Click Edit and configure Single Sign-On to enable SSO for the Jamf Pro server.
a. Select the Jamf Pro Server checkbox.
b. Configure SSO resources.
- Do not select the Allow bypass for all users checkbox.
- Select the Self Service for macOS checkbox.
- Select the User-Initiated Enrollment checkbox.
- For User Mapping: SAML, select "NameID".
- For User Mapping: Jamf Pro, select "Email". You are only able to use "Username" if it matches email, firstname or lastname.
- For Identity Provider, select "Google".
- Configure the Identity Provider Metadata Source.
a. For Identity Provider Metadata Source, select "Metadata File".
b. Click Upload File.
c. Click Choose File to upload the Google metadata file downloaded in Step 1.
- Entity ID should match the following format: "https://myjss.jamfcloud.com/saml/metadata"
- Generate or upload signing certificate. For more information, see Single Sign-On in the Jamf Pro Administrator's Guide.
- (Optional) Select the Disable SAML token expiration checkbox.
- Click Save.
Step 4: Test the Single Sign-On configuration
Ensure Single Sign-On is set up correctly.
- Sign out of G Suite.
- Log out of Jamf Pro.
- In a web browser, navigate to your single sign-on URL for Jamf Pro.
- You should be redirected to the Google sign in page. Log in.
- If the test is successful, you will be logged in to Jamf Pro.
- If the test failed, use your additional login URL, found in your Single Sign-On settings in Jamf Pro, to log in to the Jamf Pro server. The URL should match the following format: "https://myjss.jamfcloud?failover"
- For more information on Single Sign-On settings in Jamf Pro, see Single Sign-On in the Jamf Pro Administrator's Guide.
- For more information on Single Sign-On settings in G Suite accounts, see the following G Suite Administrator Help pages: