Configuration Guides

Configuring SAML SSO with Jamf Pro and PingOne for Enterprise

Enable Jamf Pro sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct JAMF Pro sign-on using PingOne for Enterprise (SP-initiated sign-on) with single logout (SLO).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate Jamf Pro with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise.

Add the Jamf Pro application to PingOne for Enterprise

  1. Sign on to PingOne for Enterprise and go to Applications → My Applications.

  2. On the SAML tab, click Add Application.

    The PingOne for Enterprise My Applications page with the SAML tab selected. The Add Application list is open with New SAML Application selected.

  3. Enter Jamf Pro as the application name.

  4. Enter a suitable description.

  5. Choose a suitable category.

  6. Click Continue to Next Step.

  7. Enter the following values:

    Field Value

    Assertion Consumer Service (ACS)

    https://your-instance.jamfcloud.com/saml/SSO

    Entity ID

    https://your-instance.jamfcloud.com/saml/metadata

    Single Logout (SLO) Endpoint

    https://your-instance.jamfcloud.com/saml/SingleLogout

    Single Logout Binding Type

    POST
    Screen capture of the SAML metadata fields in PingOne for Enterprise with the SAML Metadata, Assertion Consumer Service, Entity ID, and Single Logout Endpoint fields highlighted in red.

  8. On the SAML Metadata line, click Download.

  9. Click Continue to Next Step.

  10. Click Add new attribute.

    Screen capture of the SSO Attribute Mapping section with the Add new attribute button highlighted in red.

  11. Add the SAML_SUBJECT attribute and map it to your email attribute.

    Screen capture of the SSO Attribute Mapping section with the Application Attribute and the Identity Bridge Attribute or Literal Value fields highlighted in red.

  12. Click Continue to Next Step.

  13. Click Add for each user groups that should have access to JAMF Pro.

    Screen capture of the PingOne for Enterprise Group Access section with two Group Name search field and the Group Name results field.

  14. Click Continue to Next Step.

  15. Click Finish.

Add the PingOne for Enterprise connection to JAMF Pro

  1. Sign on to the Jamf Pro console as an administrator.

  2. Click the Gear icon (]).

  3. Go to System Settings → Single Sign-On.

    Screen capture of the Jamf Pro console with the System Settings and Single Sign-On sections highlighted in red.

  4. Click the Edit icon.

    Screen capture of the Edit icon highlighted in red.

  5. Select the Enable Single Sign-On Authentication check box.

    Screen capture of the Jamf Pro console with the Enable Single Sign-On Authentication check box highlighted in red.

  6. In the Identity Provider list, select Ping Identity.

  7. Confirm that the Entity ID value matches the value you set previously in PingOne for Enterprise.

  8. In the Upload Metadata File section, upload the PingOne for Enterprise metadata file.

    Screen capture of the Single Sign-On System Settings in Jamf Pro console with the Identity provider list, the Entity ID field, and the Upload Metadata File fields highlighted in red.

  9. In the Jamf Pro User Mapping section, click Email.

    Screen capture of the Jamf Pro User Mapping section with the Email button highlighted in red.

  10. In the Single Sign-On Options for Jamf Pro section, select the Allow users to bypass the Single Sign-On authentication check box.

    Screen capture of the Jamf Pro Single Sign-On Options section with the Allow users to bypass the Single Sign-On authentication check box highlighted in red.

  11. Click Save.

Test the PingOne for Enterprise identity provider (IdP)

  1. Go to your Ping desktop as a user with Jamf Pro access.

    To find the Ping desktop URL, in the PingOne admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete the PingOne authentication.

    Screen capture of the Jam Pro application home page.

    You’re redirected to your Jamf Pro application.

Test the PingOne for Enterprise service provider (SP)

  1. If you are using PingOne for Enterprise as the standard authentication method for Jamf Pro access, sign on to the Jamf Pro console as an administrator after you’ve completed PingOne for Enterprise IdP testing.

  2. Go to Settings → System Settings → Single Sign-On and click Edit.

    Screen capture of the Edit icon highlighted in red.

  3. Clear the Allow users to bypass the Single Sign-On authentication check box.

    Screen capture of the Single Sign-On Options for Jamf Pro section with the Allow users to bypass the Single Sign-On authentication check box highlighted in red.

  4. Click Save.

  5. Go to your Jamf Pro application.

    Screen capture of the Jamf Pro application home page.

    You’re redirected to PingOne for Enterprise.

  6. Enter your PingOne for Enterprise username and password.

    After successful authentication, you’re redirected back to Jamf Pro.