Help

Integrating JSS with Okta SSO

nomeelnoj
New Contributor III

Posted on ‎02-23-2017 02:09 PM

We recently purchased Okta, and I thought it would be great to get Okta talking to JAMF Pro. We have a hosted JSS, so we cannot connect it to AD (don't want to open up ports to an internal server) so I thought this would be the perfect way to allow users to sign into Self Service, and Admins for the JSS, without having to add all the users manually into the JSS.

I followed the instructions provided by both Okta and JAMF, and still was unable to get it to work. After a lot of trial and error, I was able to get it working properly. So, I thought I would write about it and share the tricks needed for configuration with everyone in JAMF Nation, as I am sure there are others running in to these same issues.

Here are the steps:

Create your Group(s)

In order to get the JSS to recognize users in Okta that are NOT in the JSS, you need to create a matching group IN BOTH PLACES. 1. Create an Okta group called "jamf-users" (or whatever you want)
2. Create a group in the JSS with the IDENTICAL name: "jamf-users". CASE-SENSITIVE!

NOTE: You can create different groups in the JSS with different levels of JSS permissions. As long as there are matching groups in Okta, members of the Okta groups will have those permissions to the JSS.

Configure JSS for SSO and Okta for JSS

  1. Create a new SAML Template application in Okta by clicking Add Application, then "Create New App"
  2. Choose SAML 2.0
  3. Give your app a name and icon, and click Next.
  4. For your Single Sign On URL, enter: https://<jss_address>/saml/SSO
  5. The Audience URI (SP Entity ID) should be https://<jss_address>/saml/metadata
  6. Leave Name ID format as Unspecified
  7. Application Username should be whatever you want, I usually go with Okta prefix
  8. This step is VERY important. Under Group Attribute Statements, enter: http://schemas.xmlsoap.org/claims/Groups . The name format should be Unspecified. For Filter, enter Regex and in the field enter .* This will pass all the Okta groups into the JSS.
  9. Click Next, assign to users, and click Save.
  10. Under the Sign On tab, click the Identity Provider Metadata link to download the metadata file. Save it with a .xml extension.

Now go over to your JSS, click on the Settings gear and go to Single Sign On.
1. Click Edit
2. Check the box for JAMF Software Server, and Self Service/ Enrollment if you desire.
3. For User Mapping: SAML choose NameID
4. For User Mapping: JSS choose Username
5. For Group Attribute Name - enter http://schemas.xmlsoap.org/claims/Groups
6. Select your identity provider, in this case Okta.
7. Upload your metadata file
8. Make sure the Entity ID field is the same as what you entered in Okta under step 5. If it is different, update the OKTA field, NOT the JSS field.
9. Click Save.

You should now be able to log Okta users into the JSS without having to create them in the JSS. If you run into any issues, feel free to reach out to me directly. Here are some screenshots

60289949d8994a93902a832a9aca3b84
d78b2db11508460ab65974e7afb6a00f

11 REPLIES 11

kld0010
New Contributor II

Posted on ‎02-24-2017 02:26 PM

We're currently evaluating SSO options. In this connection does it automatically provision the user when they log in with their Okta credentials or do you need to manually update the user list in the JSS?

We don't have a directory as we're entirely cloud-based with GSuite, so we prefer not to create a directory just for the JSS.

0 Kudos

nimitz
New Contributor II

Posted on ‎02-24-2017 03:17 PM

My understanding from CS at JAMF is that SSO only works for logging into the JSS and NOT for self service or anything (non-JAMF admin) user facing. We only have 3 admins and I couldnt really get SSO to work, so I bailed on trying to configure it.

0 Kudos

talkingmoose
Moderator
Moderator

Posted on ‎02-24-2017 05:48 PM

@jon.leemon, thanks for the additional documentation with the regex instructions. Nice work!

@nimitz, Self Service is indeed supported with SAML/SSO. If you need assistance with setup, don't forget you can contact Jamf Support (email, phone or chat).

0 Kudos

nomeelnoj
New Contributor III

Posted on ‎03-09-2017 06:00 PM

@nimitz all my users are currently logging into self service with SSO, and it works great. If I am at their machine I can log in with my credentials as I have access to more tools in self service. It really works beautifully once configured. If you need assistance configuring it let me know, I am happy to help.

0 Kudos

chad_fox
Contributor II

Posted on ‎03-31-2017 12:40 PM

@jon.leemon thanks for posting the instructions!

Ignore my last post :P Got it all figured out.

0 Kudos

dubprocess
New Contributor III

Posted on ‎11-17-2017 10:38 AM

@jon.leemon SO I got it to work but my question is with groups in OKTA and Jamf Server. I created a group in OKTA and Jamf Server here:

  1. OKTA>Admin>Directory>Groups>Jamf Admins
  2. Jamf>Jamf User Accounts & Groups>Jamf Admins

I am trying to work out in my head how the groups sync? What should I see in OKTA and Jamf server? The same people listed in my Jamf Admins Groups on both OKTA and Jamf Server? Do I need to assign my Jamf SAML Application in OKTA into my "Jamf Admins" group in OKTA as well? Kinda confused how they sync.

0 Kudos

Br3ck
New Contributor III

Posted on ‎01-09-2019 11:16 AM

Sorry to kick up an old thread but I am with @dubprocess here, doesn't appear group lookup works with OKTA's directory. Did you ever get that working?

0 Kudos

sdamiano
Contributor II

Posted on ‎01-09-2019 12:53 PM

That isn't supported. I really wish that you could use a SAML SSO provider to provision access to groups / get user data info instead of the LDAP integration.

0 Kudos

Scotty
Contributor

Posted on ‎01-24-2019 05:40 PM

So If I could ask some followup question on this topic. I was able to get okta going, and the matching JSS groups did work like a charm. However, I need LDAP groups to use group limitations in scopes to give rights to get to licenses software and special tools for the techs. Is there any way to get that form okta like this? I would need Okta as a LDAP source (LDAP as a service) if I had to guess.

Above, does let me setup okta logon to JSS, self service and /enroll page just fine btw.

The problem I am facing is, if a tech or user logs into Self Service with Okta SSO. They do not get the software that is limited to their user via a LDAP group. If they login without Okta SSO then they do. So the account hitting Jamf seems to be diffrent from okta to direct LDAP, if that makes sense.

@nomeelnoj how are you scoping special items to just your admins/techs with okta SSO to Self Service?

0 Kudos

stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎01-25-2019 01:40 PM

@ScottSimmons you'll want to connect Okta as an LDAP source to use the Okta DS (I believe it is called) to do lookups. There are two different discussions here on Jamf Nation:

Connecting Okta as an LDAP Source?

Using Okta as an LDAP source

And even better, there's a blog write up about it:

Integrating Okta LDAP in Jamf Pro

wmateo
Contributor

Posted on ‎07-09-2019 08:22 AM

how does anyone handle thick tools such as JAMF Remote with an OKTA implementation?