Configuring Single Sign-On with Centrify
This article explains how to configure Single Sign-On (SSO) in Jamf Pro with Centrify as your SAML 2.0 Identity Provider. When SSO is enabled, users and groups logging in to Jamf Pro are redirected to the Centrify sign-in page by default. After successful authentication, they are redirected to the Jamf Pro Dashboard.
The SSO configuration procedure covered in this article was tested with Centrify 18.9.147.
Note: Some setting names were changed in Jamf Pro 10.13.0. If you are using an earlier version of Jamf Pro, the setting names will not match the updated names in this article. For a list of name changes, see the 10.13.0 version of the Jamf Pro Release Notes.
Jamf Pro 9.97 or later
- User with administrative access to Centrify
- User with the Single Sign-On Update privilege in Jamf Pro
Single Sign-On with Centrify requires configuring your Centrify account and Jamf Pro simultaneously. It is important to note that the configuration is unique to each environment and additional steps may be necessary.
The procedure involves the following steps:
- Create a SAML app for the Jamf Pro server in Centrify.
- Configure Single Sign-On in Jamf Pro.
- Configure the app for the Jamf Pro server in Centrify.
- Test the Centrify Single Sign-On configuration.
Step 1: Create a SAML App for the Jamf Pro Server in Centrify
- Log in to the Centrify admin portal and navigate to Apps > Web Apps.
- Click the Add Web Apps button.
- Navigate to the "Custom" tab and click SAML to add the app.
- In the "Settings" section, enter a name for the app.
- Enter a category for the app.
- For Application ID, enter the Entity ID for your Jamf Pro server (e.g., "https://jamfpro.example.com/saml/SSO").
Note: The Entity ID for your Jamf Pro server can be found in Single Sign-On settings in Jamf Pro.
- Click Save.
- In the "Trust" section, under Identity Provider Configuration, select the Metadata option and copy the Metadata URL or download the Metadata File.
Step 2: Configure Single Sign-On in Jamf Pro
- In Jamf Pro, navigate to Settings > System Settings > Single Sign-On.
- Click the Edit button.
- Select the Enable Single Sign-On Authentication checkbox.
- For Identity Provider User Mapping, choose the "NameID" option.
Note: You may also use a custom attribute. If using a custom attribute, the SAML assertion sent by Centrify must contain the NameID attribute (any value) in addition to the custom attribute. This allows Jamf Pro and the identity provider to complete the information exchange.
- For Jamf Pro User Mapping, use the default setting “Username”.
- For Identity Provide Group Attribute Name, use the default setting "http://schemas.xmlsoap.org/claims/Group".
- (Optional) Add the RDN Key for your LDAP group.
- Select "Centrify" from the Identity Provider pop-up menu.
- For Identity Provider Metadata Source, add the metadata URL or upload the metadata file from Centrify.
- (Optional) Upload or generate a signing certificate for the Jamf Pro server.
- Select SSO options for your Jamf Pro server.
Note: It is recommended that you copy the additional login URL to a secure location before continuing. In case of any configuration issues, you can use this URL to log in to Jamf Pro.
- Save the configuration.
- (Optional) Download the Jamf Pro Metadata file.
Step 3: Configure the App for the Jamf Pro Server in Centrify
- In the Centrify admin portal, navigate to the SAML app created for the Jamf Pro server.
- In the "Trust" section, under Service Provider Configuration, select the Metadata option and upload the Metadata file downloaded from Jamf Pro or add the Jamf Pro Metadata URL (e.g., "https://jamfpro.example.com/saml/metadata").
Note: If you would like to use Single Logout you need to select the Manual Configuration option. Single Logout is important for Jamf Pro administrators who will not be able to fully log out after performing the enrollment process for other users. To configure Single Logout, use the following for the Jamf Pro server:
SP Entity ID (e.g., “https://jamfpro.example.com/saml/metadata”)
Assertion Consumer Service (ACS) URL (e.g., "https://jamfpro.example.com/saml/SSO")
Single Logout URL (e.g., “https://jamfpro.example.com/saml/SingleLogout”)
- In the "Permissions" section, add necessary permissions for the app.
- In the "Account Mapping" section, choose the Account Mapping Script option and enter the following line:
LoginUser.Username = LoginUser.Get('DisplayName');
Important: Ensure the Display Name in the user account settings in Centrify matches your Jamf Pro username before saving the script.
Step 4: Test the Centrify SSO Configuration
- In Centrify, assign a test user to the created app for the Jamf Pro server.
- In Jamf Pro, create a test user with Single Sign-On privileges.
Note: The Jamf Pro test user account should match the test user in Centrify.
- Sign out of the Centrify admin portal.
- Sign out of Jamf Pro.
- In a web browser, navigate to your Jamf Pro URL.
- Once redirected to the Centrify sign-in page, enter your login credentials.
- If the test is successful, you will be logged in to Jamf Pro.
- If the test failed, use your additional login URL to log in to Jamf Pro, and check your configuration. The URL can be found in your Single Sign-On settings in Jamf Pro.
For more information on Single Sign-On settings in Jamf Pro, see the Jamf Pro Administrator's Guide.
For more information on Single Sign-On settings in Centrify, see the Centrify Product Documentation.