Jamf SSO Comparison: Jamf Account SSO vs Settings SAML SSO
READER BEWARE: THE FOLLOWING WRITTEN ENTIRELY BY AI WITHOUT HUMAN EDITING.
Introduction
Jamf Pro offers two distinct Single Sign-On (SSO) integration methods, each serving different purposes and requirements. Understanding the differences between these two SSO types is crucial for organizations looking to implement proper authentication controls, especially when certain features like Compliance Benchmarks require a specific SSO configuration.
This guide compares:
- Jamf Account SSO - Managed through Jamf Account (account.jamf.com), required for advanced features like Compliance Benchmarks
- Settings SAML SSO - Configured under Jamf Pro Settings, enables SAML authentication for all Jamf Pro users
We’ll explore the setup process for each, their intended use cases, and what happens when you implement both SSO methods simultaneously.
Overview: Two SSO Approaches
Jamf Account SSO
Jamf Account SSO is configured through the Jamf Account portal (account.jamf.com) and provides authentication at the Jamf Account level. This is the SSO integration that Jamf requires for specific advanced features.
Key Characteristics:
- Configured at account.jamf.com
- Required for features like Compliance Benchmarks
- Manages access to Jamf Account services
- Provides organization-level identity management
Settings SAML SSO
Settings SAML SSO is configured directly within Jamf Pro under Settings → System → Single sign-on. When enabled, it requires all Jamf Pro users to authenticate using their SSO credentials instead of local Jamf Pro credentials.
Key Characteristics:
- Configured within Jamf Pro Settings
- Uses SAML 2.0 authentication
- Forces all users to authenticate via SSO
- Integrates with identity providers like Okta, Azure AD, Ping Identity, etc.
Jamf Account SSO: Setup and Configuration
Why Jamf Account SSO is Required for Compliance Benchmarks
According to Jamf documentation, the Compliance Benchmarks feature “requires that single sign-on (SSO) for administrators be set up and managed in Jamf Account.” This is because Compliance Benchmarks and certain other advanced features operate at the Jamf Account level, not just the individual Jamf Pro instance level.
Setup Process
Step 1: Access Jamf Account
- Navigate to account.jamf.com
- Sign in with your Jamf Account credentials
- Select your organization
Step 2: Configure Identity Provider Integration
- Navigate to Organization Settings → Identity Provider
- Click Configure Identity Provider or Edit if already configured
- Select your identity provider type:
- SAML 2.0
- Azure AD
- Google Workspace
- Okta
Step 3: SAML Configuration (for SAML 2.0)
Provide the following information from your IdP:
Entity ID: https://account.jamf.com/saml/metadata
ACS URL: https://account.jamf.com/saml/SSO
Configure the following in your IdP:
- Name ID Format: Email address (persistent)
- Attributes: email, firstName, lastName
Download the IdP metadata or manually enter:
- IdP Entity ID
- SSO URL
- X.509 Certificate
Step 4: Attribute Mapping
Map the following SAML attributes:
| Jamf Account Attribute | SAML Attribute |
|---|---|
| email or emailAddress | |
| First Name | firstName or givenName |
| Last Name | lastName or surname |
Step 5: Test and Enable
- Use the Test Connection feature to verify configuration
- Sign in with a test account
- Enable SSO for your organization
- Choose whether to allow local password fallback
Features Requiring Jamf Account SSO
The following Jamf features require or benefit from Jamf Account SSO:
- Compliance Benchmarks - Security baseline assessments
- Jamf Security Cloud integrations
- Unified Jamf Account access across products
- Centralized user management for multi-product environments
Settings SAML SSO: Setup and Configuration
Purpose of Settings SAML SSO
Settings SAML SSO is designed to enforce SSO authentication for all users accessing the Jamf Pro console. When enabled, users cannot log in with local Jamf Pro credentials and must authenticate through the configured identity provider.
Setup Process
Step 1: Access SSO Settings
- Log into Jamf Pro as an administrator
- Navigate to Settings → System → Single Sign-On
- Click Edit
Step 2: Enable SSO Authentication
Toggle Enable SSO Authentication for Jamf Pro to On
Step 3: Identity Provider Configuration
Select your identity provider and configure:
For SAML 2.0:
Entity ID: https://your-instance.jamfcloud.com/saml/metadata
ACS URL: https://your-instance.jamfcloud.com/saml/SSO
Enter IdP metadata:
- Identity Provider Entity ID: Your IdP’s entity ID
- Identity Provider Single Sign-On URL: Your IdP’s SSO endpoint
- Identity Provider Certificate: X.509 certificate for signature verification
Step 4: User Mapping Configuration
Configure how Jamf Pro users are mapped to IdP users:
User Mapping: Username
SAML Attribute: email (or username)
Options for user mapping:
- Username - Match SAML attribute to Jamf Pro username
- Email - Match SAML attribute to Jamf Pro email
- User ID - Match to Jamf Pro user ID
Step 5: Advanced Settings
Configure additional options:
| Setting | Description |
|---|---|
| Allow Bypass | Enable emergency local login bypass |
| Group Attribute | SAML attribute containing group membership |
| Default Site | Site assignment for SSO users |
| Privilege Level | Default privileges for new SSO users |
Step 6: Configure IdP
In your identity provider, create a new SAML application with:
Okta Example:
Application Type: SAML 2.0
Single Sign On URL: https://your-instance.jamfcloud.com/saml/SSO
Audience URI (SP Entity ID): https://your-instance.jamfcloud.com/saml/metadata
Name ID Format: EmailAddress
Attribute Statements:
- email: user.email
- firstName: user.firstName
- lastName: user.lastName
Azure AD Example:
Application Type: Enterprise Application
SSO Mode: SAML-based Sign-on
Identifier (Entity ID): https://your-instance.jamfcloud.com/saml/metadata
Reply URL (ACS URL): https://your-instance.jamfcloud.com/saml/SSO
User Attributes & Claims:
- emailaddress: user.mail
- givenname: user.givenname
- surname: user.surname
Step 7: Test and Enable
- Click Test SAML Connection
- Verify successful authentication
- Save the configuration
- Notify users of the change to SSO authentication
User Experience After Enabling Settings SAML SSO
Once enabled:
- Users navigate to Jamf Pro login page
- They are redirected to identity provider
- After IdP authentication, they return to Jamf Pro
- Session is established based on SAML assertion
Comparing the Two SSO Methods
| Feature | Jamf Account SSO | Settings SAML SSO |
|---|---|---|
| Configuration Location | account.jamf.com | Jamf Pro Settings |
| Scope | Jamf Account services | Jamf Pro instance only |
| Authentication Target | Jamf Account portal | Jamf Pro console |
| Required For | Compliance Benchmarks, Jamf Security Cloud | N/A (optional) |
| User Impact | Jamf Account login | Jamf Pro console login |
| Protocol | SAML 2.0, OIDC | SAML 2.0 |
| IdP Integration | Per organization | Per Jamf Pro instance |
| Local Login Fallback | Configurable | Configurable (bypass) |
When to Use Each
Use Jamf Account SSO when:
- You need Compliance Benchmarks functionality
- You’re using Jamf Security Cloud features
- You want centralized authentication across Jamf products
- Your organization has multiple Jamf products
Use Settings SAML SSO when:
- You want to enforce SSO for Jamf Pro console access
- You need to integrate with your existing IdP for daily operations
- You want to eliminate local Jamf Pro passwords
- You need just-in-time user provisioning
Running Both SSO Methods Simultaneously
Is It Possible?
Yes, you can have both Jamf Account SSO and Settings SAML SSO configured simultaneously. They operate at different levels and serve different purposes.
How They Interact
When both are enabled:
Jamf Account SSO authenticates users when they access:
- account.jamf.com
- Compliance Benchmarks features
- Jamf Security Cloud integrations
- Other Jamf Account-level services
Settings SAML SSO authenticates users when they:
- Access the Jamf Pro console directly
- Navigate to your-instance.jamfcloud.com
- Use the Jamf Pro API with user credentials
Consequences and Considerations
Authentication Flow
With both SSO methods enabled, users may experience two authentication flows:
- Accessing Jamf Pro directly: User is redirected to Settings SAML SSO IdP
- Accessing Jamf Account features: User is redirected to Jamf Account SSO IdP
If both are configured to use the same IdP, the experience is seamless (SSO session may be shared). If different IdPs are used, users authenticate separately for each.
Configuration Considerations
Using the Same Identity Provider:
Recommended Setup:
├── Jamf Account SSO → Okta (IdP)
└── Settings SAML SSO → Okta (IdP - same)
Benefits:
- Single authentication source
- Shared SSO sessions (user authenticates once)
- Consistent user experience
- Simplified IdP management
Using Different Identity Providers:
Alternative Setup:
├── Jamf Account SSO → Azure AD
└── Settings SAML SSO → Okta
Consequences:
- Users may need to authenticate twice
- Different group memberships per IdP
- More complex troubleshooting
- Potential user confusion
User Provisioning
| Scenario | Jamf Account SSO | Settings SAML SSO |
|---|---|---|
| User Creation | Via Jamf Account invitation | Via SAML assertion or pre-created |
| Group Mapping | Jamf Account groups | Jamf Pro LDAP/SSO groups |
| Permissions | Jamf Account roles | Jamf Pro privilege sets |
| Deprovisioning | Jamf Account user removal | Jamf Pro user deactivation |
Potential Conflicts
Be aware of these potential issues:
- Username/Email Mismatches: Ensure the same email/username is used in both IdPs
- Session Management: Different session timeouts may cause unexpected logouts
- Group Synchronization: IdP group memberships may differ between configurations
- Audit Trail: Authentication logs exist in multiple locations
Best Practices for Dual SSO
- Use the Same IdP: Configure both SSO methods to use the same identity provider
- Consistent Attribute Mapping: Use identical attribute mappings for email, name, etc.
- Document Configuration: Maintain documentation of both SSO setups
- Test Thoroughly: Verify both authentication flows before enabling
- Communicate Changes: Inform users about the authentication experience
- Monitor Logs: Review authentication logs in both Jamf Pro and Jamf Account
Implementation Example
Here’s a practical example of implementing both SSO methods with Okta:
Okta Configuration
App 1: Jamf Account
App Name: Jamf Account SSO
Type: SAML 2.0
SSO URL: https://account.jamf.com/saml/SSO
Entity ID: https://account.jamf.com/saml/metadata
Groups: jamf-admins, jamf-users
App 2: Jamf Pro
App Name: Jamf Pro SSO
Type: SAML 2.0
SSO URL: https://your-instance.jamfcloud.com/saml/SSO
Entity ID: https://your-instance.jamfcloud.com/saml/metadata
Groups: jamf-pro-admins, jamf-pro-read-only
User Assignment
Assign users to both Okta apps:
- Users who need Compliance Benchmarks → Assign to both apps
- Users who only need Jamf Pro access → Assign to Jamf Pro app only
- Administrators → Assign to both apps with appropriate groups
Troubleshooting Common Issues
Jamf Account SSO Issues
Issue: Cannot access Compliance Benchmarks
Solution:
1. Verify Jamf Account SSO is properly configured
2. Check that user has appropriate Jamf Account role
3. Confirm IdP is correctly sending required attributes
Issue: SSO login fails at Jamf Account
Solution:
1. Verify IdP metadata is current
2. Check X.509 certificate hasn't expired
3. Confirm attribute mapping matches IdP configuration
4. Test with IdP-initiated login
Settings SAML SSO Issues
Issue: Users redirected to SSO but get error
Solution:
1. Check ACS URL matches IdP configuration
2. Verify Entity ID matches on both sides
3. Ensure Name ID format is consistent
4. Check for clock skew between servers
Issue: User authenticated but no Jamf Pro access
Solution:
1. Verify user exists in Jamf Pro or JIT provisioning is enabled
2. Check username/email mapping matches Jamf Pro user
3. Confirm privilege set assignment
4. Review SSO logs in Jamf Pro
Dual SSO Issues
Issue: Different users created in Jamf Pro and Jamf Account
Solution:
1. Ensure email/username is identical in both IdP apps
2. Manually link accounts if needed
3. Consider using email as the primary identifier
Issue: Users confused by multiple login prompts
Solution:
1. Configure both SSO methods with the same IdP
2. Enable IdP session persistence
3. Document the expected user flow
4. Consider deep links that go directly to intended destination
Security Considerations
Jamf Account SSO Security
- Protects access to organization-level Jamf services
- Controls who can access billing, licensing, and product configuration
- Enables audit logging of Jamf Account access
Settings SAML SSO Security
- Eliminates local passwords in Jamf Pro
- Enables MFA through IdP integration
- Provides detailed authentication logging
- Supports conditional access policies via IdP
Combined Security Benefits
When both are enabled:
- Defense in depth: Multiple authentication layers
- Centralized control: IdP manages all access
- Comprehensive logging: Authentication events captured at multiple levels
- Consistent policy: Apply IdP policies across all Jamf access
Recommendations
For Organizations New to Jamf
- Start with Settings SAML SSO for daily Jamf Pro operations
- Add Jamf Account SSO when enabling features like Compliance Benchmarks
- Use the same IdP for both to simplify management
For Organizations with Existing SAML SSO
If you already have Settings SAML SSO configured:
- Adding Jamf Account SSO will not disrupt existing authentication
- Users continue to access Jamf Pro through existing SSO
- Jamf Account SSO enables additional features without changing Jamf Pro access
For Multi-Product Jamf Environments
Organizations using multiple Jamf products (Jamf Pro, Jamf Protect, Jamf Connect):
- Jamf Account SSO provides unified authentication
- Settings SAML SSO remains specific to each Jamf Pro instance
- Consider consolidating on Jamf Account SSO for consistency
Conclusion
Jamf’s two SSO methods serve complementary purposes:
- Jamf Account SSO is required for advanced features like Compliance Benchmarks and provides organization-level authentication for Jamf Account services
- Settings SAML SSO enforces SSO authentication for the Jamf Pro console and integrates with your existing identity infrastructure
You can safely implement both SSO methods, and doing so is often necessary to take full advantage of Jamf’s feature set while maintaining strong authentication controls for your Jamf Pro environment.
Key Takeaways:
- Jamf Account SSO is required for Compliance Benchmarks - configure it at account.jamf.com
- Settings SAML SSO enforces SSO for Jamf Pro console access - configure it in Jamf Pro Settings
- Both can coexist and serve different authentication needs
- Using the same IdP for both provides the best user experience
- Proper attribute mapping and user provisioning are critical for both methods
Next Steps
- Evaluate your feature requirements (do you need Compliance Benchmarks?)
- Review your current SSO configuration in Jamf Pro Settings
- If needed, configure Jamf Account SSO at account.jamf.com
- Use the same IdP for both configurations when possible
- Test both authentication flows before enabling broadly
- Document your configuration and communicate changes to users