Configuring SAML SSO with Jamf Pro and PingOne

Page created: 21 Apr 2021 |

Page updated: 10 Feb 2022

| 4 min read

Configuration User task Single Sign-on (SSO) Capability PingOne for Enterprise Product SAML Standards, specifications, and protocols

Enable Jamf Pro sign on from the PingOne console (IdP-initiated sign on) and direct JAMF Pro sign on using PingOne (SP-initiated sign on) with single logout (SLO).

Link PingOne to an identity repository containing the users requiring application access.
Populate Jamf Pro with at least one user to test access.
You must have administrative access to PingOne.

Add the Jamf Pro application to PingOne:

Sign on to PingOne for Enterprise and go to Applications > My Applications.
On the SAML tab, click Add Application.
Enter Jamf Pro as the application name.
Enter a suitable description.
Choose a suitable category.
Click Continue to Next Step.

Enter the following values.

Field	Value
Assertion Consumer Service (ACS)	`https://<your instance>.jamfcloud.com/saml/SSO`
Entity ID	`https://<your instance >.jamfcloud.com/saml/metadata`
Single Logout (SLO) Endpoint	`https://<your instance>.jamfcloud.com/saml/SingleLogout`
Single Logout Binding Type	`POST`

Screen capture of the SAML metadata fields in PingOne for Enterprise with the SAML Metadata, Assertion Consumer Service, Entity ID, and Single Logout Endpoint fields highlighted in red.

On the SAML Metadata line, click Download.
Click Continue to Next Step.
Click Add new attribute.
Add the SAML_SUBJECT attribute and map it to your email attribute.
Click Continue to Next Step.
Click Add for each user groups that should have access to JAMF Pro.
Click Continue to Next Step.
Click Finish.

Add the PingOne connection to JAMF Pro:
1. Sign on to the Jamf Pro console as an administrator.
2. Click the Gear icon.
3. Go to System Settings > Single Sign-On.
4. Click the Edit icon.
5. Select the Enable Single Sign-On Authentication check box.
6. In the Identity Provider list, select PingIdentity.
7. Confirm that the Entity ID value matches the value you set previously in PingOne.
8. In the Upload Metadata File section, upload the PingOne metadata file.
9. In the Jamf Pro User Mapping section, click Email.
10. In the Single Sign-On Options for Jamf Pro section, select the Allow users to bypass the Single Sign-On authentication check box.
11. Click Save.
Test the PingOne identity provider (IdP):
1. Go to your Ping desktop as a user with Jamf Pro access.
  
  Note:
  To find the Ping desktop URL, in the PingOne admin console, go to Setup > Dock > PingOne Dock URL.
2. Complete the PingOne authentication.
  
  You're redirected to your Jamf Pro application.
Test the PingOne service provider (SP):
1. If you are using PingOne as the standard authentication method for Jamf Pro access, sign on to the Jamf Pro console as an administrator after you've completed PingOne IdP testing.
2. Go to Settings > System Settings > Single Sign-On and click Edit.
3. Clear the Allow users to bypass the Single Sign-On authentication check box.
4. Click Save.
5. Go to your Jamf Pro application.
  
  You're redirected to PingOne.
6. Enter your PingOne username and password.
  
  After successful authentication, you're redirected back to Jamf Pro.

Configuring SAML SSO with Jamf Pro and PingOne - PingOne for Enterprise

Configuration Guides