Skip to main content

Jamf Pro SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only they know or have access to.

Jamf Pro is the Enterprise Mobility Management software that can manage an organization's Apple Ecosystem. Acceptto integrates with Jamf Pro to improve the security of users' logins into the Jamf Pro through its Intelligent SSO-MFA solution.

Prerequisites

  • An Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • A user with administrative privileges for the Jamf Pro portal.

Configure Jamf Pro as a SAML Service Provider

  1. Login to your Jamf Pro tenant and navigate to System Setting > Single Sign-On.

    jamf_system_settings.png
  2. On the Single Sign-On Settings page, click Edit.

    jamf_edit_settings.png
  3. Check the Enable Single-Sign-On Authentication box. In the Identity Provider part, select Other and type a name in the blank part. Copy and note the Entity ID URL. This is the metadata URL of Jamf Pro, and is required for the Acceptto configuration in the next section.

    jamf_enable_sso.png
  4. In the Identity Provider Metadata Source, select Metadata URL and paste your organization's Metadata URL on Acceptto. It should be https://sso.acceptto.com/<myorganization>/saml/download/metadata, where myorganization is your unique identifier in Acceptto cloud.

    jamf_metadata_url.png
  5. Keep the default settings in the User Mapping section.

    jamf_user_mapping.png
  6. Click on Save.

Acceptto SAML Configuration as Identity Provider (IdP)

  1. Login to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting the Create New Application.

    Create new application
  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs. (e.g. Jamf)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and email MFA requests (optional)

    jamf_add_app.png
  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID– Enter the EntityID of your Jamf Pro instance, which you can find in the Jamf metadata file.

    • Sign in URL - The URL used to log in to your Jamf Pro instance.

    • NameID Format - Select "Email address" from the dropdown menu. Name Identifier - Select "Email" from the dropdown menu.

    • Assertion Consumer Service (ACS) URL - Enter the URL on the service provider to where the identity provider will redirect to with its authentication response.

    • Single Logout URL - The URL used to log out of your Jamf Pro instance.

    jamf_sp_settings.png
  5. Click Save to create the Application.

Test your application integration

  1. Open the Jamf Pro login URL through a browser of choice. You will be redirected to the Acceptto SSO page.

    SSO login
  2. After successful authentication, you’ll see the Acceptto MFA options. Select your desired method and accept the authentication request.

    Select MFA method
  3. After successful authentication, you will be redirected to the Jamf Pro landing page.

    jamf_dash.png

Troubleshooting

If you have any problems logging into Jamf Pro with Acceptto SSO and need to edit the settings; you can open the failover login page at https://example.jamfcloud.com/?failover.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.