Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Troubleshooting Single Sign-On in Jamf Pro

Overview

This article explains how to resolve common errors that users might experience while using Single Sign-On (SSO) in Jamf Pro.

Errors in Jamf Pro

Integrating an Identity Provider (IdP) with Jamf Pro creates the following login errors:

Error Message LOGLOG MessageCause
An error occurred while processing your Single Sign-On request. Contact your administrator for assistance. org.springframework.security.authentication.AuthenticationServiceExceptionError validating SAML messageInvalid Signing Certificate.

Ensure that certificates from your Identity Provider and Jamf Pro are valid.

Remember to refresh Jamf Pro Metadata after making changes.

An error occurred while processing your Single Sign-On request. Contact your administrator for assistance. org.springframework.security.authentication.CredentialsExpiredExceptionAuthentication statement is too old to be usedAdjust Token Expiration settings.

Identity Provider and the Jamf Pro Single Sign-On session lifetime are not set to the same value.

An error occurred while processing your Single Sign-On request. Contact your administrator for assistance. org.opensaml.common.SAMLExceptionMetadata includes wantAssertionSigned, but neither Response nor included Assertion is signedIdentity Provider does not sign SAML assertions.

Verify your IdP configuration.

Access Denied. Contact your administrator to request access to the Jamf Pro server. User was not mapped to Jamf Pro.

If this happens, check the following:

-Whether the corresponding user or group exists in Jamf Pro

-Your Identity Provider sent the correct values

-User or Group Mapping are correctly configured

Metadata file does not contain signing certificate information

When uploading a metadata file to the Jamf Pro server, users might be presented with the following error message: "Metadata file does not contain signing certificate information". This error is displayed when the KeyDescriptor element in the metadata file does not contain the use=signing attribute. The solution is to add the attribute to the file.

  1. Open the metadata file downloaded from Jamf Pro.
  2. Locate the <KeyDescriptor>element under <IDPSSODescriptor>.
  3. Add the use=signing attribute to the KeyDescriptor element.
  4. Save the metadata file and upload it again to the Jamf Pro server.

Further Considerations

When configuring your Identity Provider settings, ensure to assign users to the Jamf Pro application.

Like Comment
Order by:
SOLVED Posted: by gilchrist_mark

Just ran into the "An error occurred while processing your Single Sign-On request. Contact your administrator for assistance." error message. After going through settings on both sides a number of times, checking the jamfsoftwareserver.log mentioned skew errors. The JSS server clock was off by a few minutes. Re-sync the clock settings and the issue was resolved.

Like
SOLVED Posted: by Rye
Just ran into the "An error occurred while processing your Single Sign-On request. Contact your administrator for assistance." error message.

I run into this issue quite often. Our SSO config is through Google as we are using the Jamf Pro (Cloud version). I can't seem to sort out what the exact issue is that continues to cause this. However, if I open an incognito window or clear the browser cache the issue is temporarily resolved.

Any thoughts?

The certificate is valid till 2021

Settings are all correct as mentioned in the SSO config doc for Google

Like
SOLVED Posted: by bmcdade

We seem to get this SSO error frequently and entirely randomly. We use Okta for SSO and sometimes it will work in the same browser in private mode, other times need to use a different browser. Random cache/cookie clean-ups will fix it. So random.

Like
SOLVED Posted: by dstocking

I'm seeing the same issue. Works fine from an incognito window.

Like
SOLVED Posted: by mhamlin

Same issue from time to time here. Restarting Tomcat fixed it for me.

Like
SOLVED Posted: by sbijalikhan

The possible way to resolve such issue is by going to https://portal.office.com and logging out.

Like
SOLVED Posted: by lunddal

I'm seeing the same issue here with Azure AD. Telling users to log out of Office 365 several times a day is not a solution, and no other SSO app we use, does that.

Like