Learn more about how to implement and configure SSO step-by-step through JumpCloud University
What is SSO and How Does it Work?
Over the last 20 years, applications are the primary way to get work done, create content, communicate, and execute a plethora of tasks quickly and effectively. Modernization of applications moved away from locally installed versions to cloud-hosted models. Popular apps such as Microsoft Office started as an installable application suite which hastily migrated to the cloud into the familiar platform we see today.
Single Sign On (SSO) is an authentication concept that started in the early 2000s with the first stages of cloud-based applications and resources. SSO allows for secure and seamless authentication to a wide variety of apps from a centralized location with a single credential or identity. SAML was one of the many early protocols that became a standard still widely used today.
Consolidating application access management into a single platform, admins will have abilities to provision user accounts, attributes, and information through protocols such as SAML with Just-in-Time (JIT) provisioning or through the SCIM. These methods allow admins to centrally create and provision user accounts to the wide variety of applications users need or require when onboarding with the company.
Instead of having to remember dozens of passwords, SSO enables the usage of a single credential for multiple applications. By implementing an SSO solution, you’re securing your environment and access to resources through strong secure protocols, group-based access, and implementing additional layers such as multi-factor authentication (MFA) or conditional access.
JumpCloud’s Directory-as-a-Service platform provides consolidated management of user identities, credentials, security policies, and SSO applications. Users can access all of their SSO Applications, Bookmarks, and account information in a single portal. Connect to over 700+ (and growing) applications or customize and create your own connector using SAML.
What are the Benefits of Single Sign On?
Consolidation of authentication allows companies to secure, manage, and provision user accounts in a single pane of glass. This makes it easier for admins to manage user access to applications while allowing users to navigate to a portal where they’re able to log into any application with a single credential. Security and useability have been usually an inverse relationship for the past decade but, with the introduction of newer technology solutions, this is no longer the case.
Does SSO Improve Security?
For most companies, the benefit of increasing security without sacrificing simplicity is one of the major reasons to implement an SSO solution. Users only have to remember one strong secure credential in order to access any of the applications they’ve been granted permission to. In tandem with enabling MFA, access to applications is guarded by what users know (their password) and what they have (their phone with TOTP and/or DuoⓇ, or WebAuthn biometric scanner). All paired with a secure chain of trust between the application vendor and the Identity Provider (IdP), this creates a secure and easy-to-use method for authenticating to any connected applications.
A compromised password doesn’t have to immediately mean a compromise. With SSO, the protocol takes great pains to ensure that the right people have the right access levels. For end users, this can mean productive work without the hassle of remembering lots of different passwords.
How do I enable SSO?
JumpCloud has over 700+ pre-made SSO business-focused application connectors (and counting) within its catalog. Easily search for the SSO application that your users need access to and configure the fields per the associated knowledge base article linked in the bottom of the connector.
In order to integrate your applications and JumpCloud, you’ll need to create the secure chain of trust between the application service provider (SP) and JumpCloud as the IdP. Each application is slightly different, but the general premise is the same. The SP will point to JumpCloud as the IdP where all authentication requests to the application will then route through JumpCloud’s SSO platform.
Once the application connector has been configured, you can easily bind your organization’s user groups to the newly configured application. With group-based access control, admins can specify which users have access to which applications helping meet security requirements and compliances.
Users can then log into the JumpCloud User Portal to access any of the applications that have been associated to their bound user groups.
Can I Provision Applications to Users by Group or Role?
Another added benefit to leveraging a consolidated SSO platform is the ability to provision users to the application through either SAML 2.0 with Just-in-Time or SCIM.
JumpCloud has a variety of applications that support JIT and is currently developing more applications that allow for SCIM integrations. In order to leverage these features, the application service provider must also allow support for one of these two protocols. You can see a list of JumpCloud’s current SAML applications and JIT-supported applications here.
When an application is configured for either SCIM or JIT, admins can bind the user groups which need access to the application and subsequently, the users within the user group will be provisioned to the application if they didn’t previously exist (or in the case of JIT, be provisioned when they access the application). Any new user added to the associated user group will also be provisioned to the application and be granted access. When a user is disabled from the group, so is their access to the applications authorized to that particular group.
How to Implement SSO Using SAML
Each application service provider will have different configurations and requirements before a secure chain-of-trust can be established with the identity provider. SAML is an authentication protocol backed by SSL certificates, meaning that both parties would need to trust each other using a private-public key pair. This all can sound fairly complicated if you’re new to SAML and SSO configurations, but luckily with JumpCloud, this process is very simple to configure and easier to manage.
JumpCloud’s pre-built SSO connectors have an associated Knowledge Base article with step by step directions from both the JumpCloud’s configuration and the service provider’s configuration. JumpCloud’s SSO platform can automatically generate the appropriate certificates and metadata to create a trusted connection. This way, even admins new to the SSO world can quickly spin up connectors and stand up a secure SSO environment within minutes.
Does SSO Work with Active DirectoryⓇ (AD)?
As SSO protocols like SAML were being developed and widely adopted, Microsoft created their own SSO service that integrated AD with web applications. Released as an additional package for Windows Server 2003 R2, Active Directory Federation Services (ADFS) allowed admins to integrate their on-premise domains to web applications. Although ADFS had solved some of the issues admins had encountered with newer developments in the SSO application space, it was confusing to set up, difficult to manage, and wasn’t as dynamic as other platforms on the market. This gap ultimately enabled a whole group of point-solution SSO providers to emerge and gain market share.
ADFS is still around today in environments running AD, but there are better options for managing identities between on-premise AD domains and cloud apps. In fact, Microsoft has largely made ADFS obsolete with their focus on Azure Active Directory.
Other third party SSO solutions that connect to AD like JumpCloud have the ability to integrate both resources (IdP & web apps) with its Active Directory Integration (ADI). Admins simply connect their current AD domain to JumpCloud extending on-premise identities to popular SSO applications such as Salesforce, GitHubⓇ, Atlassian CloudⓇ, SlackⓇ, and many more.
JumpCloud consolidates provisioning, management, and access to SSO apps and Active Directory identities. Admins no longer have to log into their on-premise domain controllers or log into each SSO app to provision or manage user accounts. With JumpCloud, admins have one portal where they can manage their entire organization.
How to configure custom attributes for SSO
With some applications, needing to configure custom attributes might be necessary to control or provide granular information to the service provider. JumpCloud has given admins the flexibility and control to add as many custom attributes as necessary for any SSO application used by their organization. Configure custom attributes for the application by adding another attribute to the application connector’s configuration and pair it with the corresponding service provider user attribute. This level of detail enables your end users to fully leverage their applications.
Try JumpCloud SSO for Free
SSO is most powerful when integrated with the core identity provider in order to access all of your IT resources. We call that True Single Sign-On™. For users, that means a single identity that grants them access to the resources they need to do their jobs including systems, applications, files, and networks, whether on-prem or in the cloud regardless of vendor. For admins, it means better security, fewer password reset requests, and a centralized way to manage access. For end users, it is higher productivity and less friction when doing their jobs. Try JumpCloud Directory-as-a-Service for True Single Sign-On™ by clicking here to get started today.