Posted on 02-23-2017 02:09 PM
We recently purchased Okta, and I thought it would be great to get Okta talking to JAMF Pro. We have a hosted JSS, so we cannot connect it to AD (don't want to open up ports to an internal server) so I thought this would be the perfect way to allow users to sign into Self Service, and Admins for the JSS, without having to add all the users manually into the JSS.
I followed the instructions provided by both Okta and JAMF, and still was unable to get it to work. After a lot of trial and error, I was able to get it working properly. So, I thought I would write about it and share the tricks needed for configuration with everyone in JAMF Nation, as I am sure there are others running in to these same issues.
Here are the steps:
In order to get the JSS to recognize users in Okta that are NOT in the JSS, you need to create a matching group IN BOTH PLACES.
1. Create an Okta group called "jamf-users" (or whatever you want)
2. Create a group in the JSS with the IDENTICAL name: "jamf-users". CASE-SENSITIVE!
NOTE: You can create different groups in the JSS with different levels of JSS permissions. As long as there are matching groups in Okta, members of the Okta groups will have those permissions to the JSS.
https://<jss_address>/saml/SSO
https://<jss_address>/saml/metadata
Unspecified
http://schemas.xmlsoap.org/claims/Groups
. The name format should be Unspecified. For Filter, enter Regex and in the field enter .*
This will pass all the Okta groups into the JSS.Now go over to your JSS, click on the Settings gear and go to Single Sign On.
1. Click Edit
2. Check the box for JAMF Software Server, and Self Service/ Enrollment if you desire.
3. For User Mapping: SAML choose NameID
4. For User Mapping: JSS choose Username
5. For Group Attribute Name - enter http://schemas.xmlsoap.org/claims/Groups
6. Select your identity provider, in this case Okta.
7. Upload your metadata file
8. Make sure the Entity ID field is the same as what you entered in Okta under step 5. If it is different, update the OKTA field, NOT the JSS field.
9. Click Save.
You should now be able to log Okta users into the JSS without having to create them in the JSS. If you run into any issues, feel free to reach out to me directly. Here are some screenshots
Posted on 02-24-2017 02:26 PM
We're currently evaluating SSO options. In this connection does it automatically provision the user when they log in with their Okta credentials or do you need to manually update the user list in the JSS?
We don't have a directory as we're entirely cloud-based with GSuite, so we prefer not to create a directory just for the JSS.
Posted on 02-24-2017 03:17 PM
My understanding from CS at JAMF is that SSO only works for logging into the JSS and NOT for self service or anything (non-JAMF admin) user facing. We only have 3 admins and I couldnt really get SSO to work, so I bailed on trying to configure it.
Posted on 02-24-2017 05:48 PM
@jon.leemon, thanks for the additional documentation with the regex instructions. Nice work!
@nimitz, Self Service is indeed supported with SAML/SSO. If you need assistance with setup, don't forget you can contact Jamf Support (email, phone or chat).
Posted on 03-09-2017 06:00 PM
@nimitz all my users are currently logging into self service with SSO, and it works great. If I am at their machine I can log in with my credentials as I have access to more tools in self service. It really works beautifully once configured. If you need assistance configuring it let me know, I am happy to help.
Posted on 03-31-2017 12:40 PM
@jon.leemon thanks for posting the instructions!
Ignore my last post :P Got it all figured out.
Posted on 11-17-2017 10:38 AM
@jon.leemon SO I got it to work but my question is with groups in OKTA and Jamf Server. I created a group in OKTA and Jamf Server here:
I am trying to work out in my head how the groups sync? What should I see in OKTA and Jamf server? The same people listed in my Jamf Admins Groups on both OKTA and Jamf Server? Do I need to assign my Jamf SAML Application in OKTA into my "Jamf Admins" group in OKTA as well? Kinda confused how they sync.
Posted on 01-09-2019 11:16 AM
Sorry to kick up an old thread but I am with @dubprocess here, doesn't appear group lookup works with OKTA's directory. Did you ever get that working?
Posted on 01-09-2019 12:53 PM
That isn't supported. I really wish that you could use a SAML SSO provider to provision access to groups / get user data info instead of the LDAP integration.
Posted on 01-24-2019 05:40 PM
So If I could ask some followup question on this topic. I was able to get okta going, and the matching JSS groups did work like a charm. However, I need LDAP groups to use group limitations in scopes to give rights to get to licenses software and special tools for the techs. Is there any way to get that form okta like this? I would need Okta as a LDAP source (LDAP as a service) if I had to guess.
Above, does let me setup okta logon to JSS, self service and /enroll page just fine btw.
The problem I am facing is, if a tech or user logs into Self Service with Okta SSO. They do not get the software that is limited to their user via a LDAP group. If they login without Okta SSO then they do. So the account hitting Jamf seems to be diffrent from okta to direct LDAP, if that makes sense.
@nomeelnoj how are you scoping special items to just your admins/techs with okta SSO to Self Service?
Posted on 01-25-2019 01:40 PM
@ScottSimmons you'll want to connect Okta as an LDAP source to use the Okta DS (I believe it is called) to do lookups. There are two different discussions here on Jamf Nation:
Connecting Okta as an LDAP Source?
And even better, there's a blog write up about it:
Posted on 07-09-2019 08:22 AM
how does anyone handle thick tools such as JAMF Remote with an OKTA implementation?