Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Read this article to learn the general steps you need to take to connect applications to JumpCloud with pre-built connectors.
Read the SAML Configuration Notes KB before you start configuring the connector.
Considerations:
- Service providers can differ in their behavior, especially when it comes to existing user accounts. Make sure you understand all of the steps you need to take on the SP side for SSO and JIT provisioning.
- See SAML SSO Troubleshooting if a SAML/SSO connector isn't working.
- In some rare cases, the service provider (SP) will require the fingerprint of the identity provider (IdP) certificate. To obtain this run the following command in a terminal and replace <filelocation>/certificate.pem with your certificate's location and name:
openssl x509 -sha256 -in /<filelocation>/certificate.pem -noout -fingerprint
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.
- Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section
- Close to configure your new application at a later time
To gather information from the Service Provider
- Find out if metadata is available from the service provider. If metadata is available, download it so that you can use it to configure the connector in JumpCloud.
- If the service provider requires it, enable SAML functionality.
- Keep the service provider information handy when you start configuring the SSO connector in JumpCloud.
To find and configure the JumpCloud application connector
- Select the SSO tab.
- Click Upload Metadata under Service Provider Metadata. To manually populate connector field data, see SSO Application Connector Fields.
- Add any additional ACS URLs. Multiple URLs are supported.
- Add additional User, Constant, or Group attributes if you’d like to. Refer to SAML Attribute Notes for more information.
Enabling/disabling this option affects all users.
- Click save.
- Open the application, select the SSO tab and then click Export Metadata under JumpCloud Metadata.
Configuring the Service Provider Connector
- Upload JumpCloud’s metadata file to the service provider. This populates the SAML attributes in the service provider.
- Change any other service provider settings as needed.
- Save the configuration settings.