SAML Configuration Notes

Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. When you connect a SAML SSO application to JumpCloud, here are a few notes you need to take into consideration before and after you configure an SSO connector. 

Pre Configuration

Customizing Display Options

• You can customize application display options. You can use the default service provider logo, use the Color Indicator, or upload a custom logo. Learn how to customize display options.

Using Certificates

• A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
  • Learn how to generate a public certificate and private key pair and manage them.
• JumpCloud SAML SSO connectors support SHA-256 certificates by default. Although JumpCloud supports SHA-1 certificates, if the service provider supports it, we recommend using SHA-256 for stronger security. 

Exporting JumpCloud Metadata

• When you configure SAML applications, you have two options to export JumpCloud metadata and upload it to the service provider.
  • Export a JumpCloud metadata file.
    • From Applications, select the option next to the application name, click export metadata in the top right corner, save the file, then upload the metadata file to the service provider.
    • From the Application’s Details Panel, select the SSO tab, then click Export Metadata under JumpCloud Metadata.
  • Copy the Metadata URL.
    • From the Application’s Details Panel, select the SSO tab, then click Copy Metadata URL. This will copy the URL to the clipboard.

Configuring Attributes

• Though they aren’t required, you can add supplemental user, constant, and group attributes in the SAML 2.0 Connector and in pre-built connectors that may be used to support functionality like provisioning. Make sure the attributes are supported by the service provider.

Connecting Applications

• You can connect SAML applications to JumpCloud by configuring one of our many pre-built SAML connectors or by configuring our SAML 2.0 connector.
  • See JumpCloud's Integration Catalog. 
  • Learn how to configure JumpCloud's SAML 2.0 custom connector or prebuilt connectors.

Post Configuration

Troubleshooting

• See SAML SSO Troubleshooting if a SAML SSO connector isn't working. 

Authorizing Users

• Users are implicitly denied access to applications. After you connect an application to JumpCloud, you must authorize user access to that application.

Provisioning Users

• You can use Just-In-Time provisioning with the SAML 2.0 Connector and some of our pre-built connectors. This reduces the steps in provisioning users to SAML applications.

Managing User Portal Session Duration

• You can configure the User Portal Session Duration for your organization. This affects how often users have to log in to their User Portal and applications.

Deleting or Deactivating a SAML SSO Application

• Deactivate a SAML SSO application and temporarily suspend user access to an application.
• Delete a SAML SSO application and permanently remove it from the User Portal and Admin Portal.

Using Conditional Access Policies with Applications

• Add an extra layer of security when users access applications. You can restrict or deny access based on conditions that you set. For example, after a user logs in to the User Portal, require Multi-factor Authentication when they access certain applications or deny access when they access an application from an unapproved network. Learn more in Get Started: Conditional Access Policies.