Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Jamf generated SSO certificate not accepted by Identity Provider

My issue is that my identity provider (idp) does not accept the by jamf SSO generated self-signed certificate. Below I will describe how I got around this issue.
I'm using the jamf cloud service.

  • Perform the below steps on a machine with OpenSSL installed

In this example I use the following information
- FQDN: sp.example.com
- entityID: https://example.jamfcloud.com/saml/metadata

  1. Create an OpenSSL config file sp-cert.cnf with the following content. (note: your idp might require you to use different settings here!!)

    [req] RANDFILE=/dev/urandom default_bits=3072 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=sp-key.pem [dn] CN=sp.example.org [ext] subjectAltName = DNS:sp.example.org, \ URI:https://example.jamfcloud.com/saml/metadata subjectKeyIdentifier=hash
  2. Run following command (again your idp might require you to add different parameter here)

    openssl req -new -x509 -config sp-cert.cnf -text -out sp-cert.pem -days 1096
  3. You are left with a cert and key file. combine these in a password-protected certificate file (note: that you can use different options for -passout to avoid typing the pw in clear text in your terminal, for me I didn’t care as I performed these steps on my machine, also I don’t really see a point in protecting my key, as it should anyways be stored in a protected environment.)

    openssl pkcs12 -export -in sp-cert.pem -inkey sp-key.pem -out sp-cert.p12 -passout pass:<<password>>
  4. The .p12 file can be uploaded to your jamf SSO configuration.

Like Comment