SSO with SAML
- Last UpdatedJun 24, 2025
- 10 minute read
You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login page. After authentication, users obtain access to the resource they were attempting to access.
SAML-based SSO with Jamf Pro can be enabled for the following:
- Enrollment—
Users must authenticate with an IdP to complete Automated Device Enrollment (with an Enrollment Customization SSO authentication pane) or Device Enrollment (also known as "user-initiated enrollment").
- Jamf Self Service for macOS—
Users must authenticate with an IdP to access Self Service. Jamf Pro uses the username entered during SSO authentication for scope calculations. Self Service is able to access any existing usernames from the IdP.
Self Service for macOS supports the FIDO2 authentication method for single sign-on.
- Jamf Pro server—When an unauthenticated user attempts to access the Jamf Pro server, they will be redirected to the IdP login page unless the Allow users to bypass the Single Sign-On authentication checkbox is selected in Jamf Pro single sign-on settings.Note: Jamf recommends that administrators with supported environments use the OIDC-based SSO integration through Jamf Account to ensure full compatibility with Jamf platform capabilities and services. You can enable OIDC-based SSO in Jamf Account for administrators alongside SAML-based SSO in Jamf Pro for end users. For more information, see SSO with OIDC Through Jamf Account.
Jamf recommends using SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol.
Jamf recommends configuring your IdP settings using a SHA-256 or higher signature for SAML assertions.
If a directory service is also integrated with Jamf Pro, keep the following in mind when configuring SSO:
If using directory service users or groups for SSO, they should first be added as standard Jamf Pro users or groups in the Jamf Pro User Accounts and Groups settings.
If a directory service is integrated with Jamf Pro, directory service limitations and exclusions can be used. They will be calculated by matching the username entered into the IdP during Self Service user login with the username from the integrated directory service.
If a directory service is not integrated with Jamf Pro, targets and exclusions for a username will be calculated by matching the username entered into the IdP during Self Service user login with Jamf Pro user accounts and groups.
Jamf Pro uses IdP-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions started with Jamf Pro and the IdP. After users complete the enrollment process, a Logout button is available. Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the enrollment experience.
SLO is not available in the following scenarios:
Your IdP does not provide any SLO endpoints in the metadata.
A Jamf Pro Signing Certificate is not set up.
When SLO is not available, a message stating that the IdP session may still be active is displayed to users. This is important for Jamf Pro administrators who cannot completely log out after performing the enrollment process for other users.
To support uncommon IdP configurations, the GET binding (less secure than POST) can be used for SAML Single Logout.
To enable SAML-based SSO for end users, you must configure settings in both your IdP's console and Jamf Pro.
You must configure settings for your IdP before you enable SSO in Jamf Pro. In some environments, simultaneous configuration between your IdP and Jamf Pro is required.
Enabling SSO for Jamf Pro services and applications prevents users from authenticating with standard and directory credentials. Jamf recommends that you notify users about changes to the authentication experience in your organization when enabled.
Integration with an identity provider (IdP) that supports SAML 2.0 protocols. For more information, see the following:
Single sign-on technical articles for:
Tutorial: Microsoft Entra SSO integration with Jamf Pro documentation from Microsoft
Integrate Jamf Pro documentation from Entrust
TCP connectivity from the Jamf Pro server to the identity provider
Jamf Pro user accounts or groups with matching IdP usernames or groups
Administrator privileges to Jamf Pro and your IdP
If you are enabling the failover URL as an option for users to access Jamf Pro, and SSO authentication is enabled, the Jamf Pro user accounts need Read and Update privileges for SSO Settings in Jamf Pro. For more information, see Creating a Jamf Pro User Account.
Users are now automatically redirected to your organization's IdP login page to access configured portions of Jamf Pro.
Self Service for macOS supports the FIDO2 authentication method for single sign-on. FIDO2 is a type of Universal 2nd Factor (U2F) authentication where credentials can be accessed from a device instead of a server. It enables passwordless authentication, including passkeys, local biometric access, and hardware keys.
FIDO2 must be configured through your IdP and enabled in Jamf Pro.
When FIDO2 authentication is enabled, Self Service opens a private browser window to authenticate user credentials. Because the private browser window does not retain cookies, more frequent logins are required when FIDO2 authentication is active.
Enabling FIDO2 Authentication in Jamf Pro
- Single sign-on for Self Service for macOS must be enabled in Jamf Pro.
FIDO2 authentication must be configured through your IdP.
- In Jamf Pro, click Settings in the sidebar.
- In the Self Service section, click macOS
. - Click Edit .
- Under Login, select Single Sign-On.
- Select Enable FIDO2 authentication.
- Click Save .
To view or download the Jamf Pro server log, see Viewing or Downloading the Jamf Pro Server Log in the Jamf Pro Documentation.
| Error Message | Log Message | Cause | Resolution |
|---|---|---|---|
"An error occurred while processing your Single Sign-On request. Contact your administrator for assistance." Jamf Pro Log: | "Error validating SAML message" | Signing certificate is invalid. | Ensure that certificates from your Identity Provider and Jamf Pro are valid. Remember to refresh Jamf Pro Metadata after making changes. |
"An error occurred while processing your Single Sign-On request. Contact your administrator for assistance." Jamf Pro Log: | "Authentication statement is too old to be used" | Identity provider and the Jamf Pro Single Sign-On session lifetime are not set to the same value. | Adjust the token expiration settings. |
"An error occurred while processing your Single Sign-On request. Contact your administrator for assistance." Jamf Pro Log: | "Metadata includes wantAssertionSigned, but neither Response nor included Assertion is signed" | Identity provider does not sign SAML assertions. | Verify your IdP configuration. |
| "Access Denied. Contact your administrator to request access to the Jamf Pro server." | User was not mapped to Jamf Pro. | Check the following:
| |
| "Metadata file does not contain signing certificate information" | When uploading a metadata file to the Jamf Pro server, error is displayed when the | Add the attribute to the file:
|
For all other issues, contact Jamf Support.