Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Read this article to learn how to configure the Custom SAML 2.0 Application Connector.
Read the SAML Configuration Notes before you start configuring this connector.
If you don’t see a connector for an application that your organization uses, you can connect it to JumpCloud with the SAML 2.0 Connector. Also known as the Custom SAML App, this connector can be used with any application that supports SAML-based SSO. Be aware that you need in-depth knowledge of the service provider’s SAML compatibility and requirements to use the SAML 2.0 connector.
Prerequisites
- A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
- Service providers can differ in their behavior, especially when it comes to existing user accounts. Make sure you understand all of the steps you need to take on the SP side for SSO and JIT provisioning.
Configuring the SAML 2.0 Connector
To gather information from the Service Provider (SP)
- Find out if metadata is available from the SP. If metadata is available, download it so that you can use it to configure the connector in JumpCloud.
- Determine the attributes that are required for SAML/SSO.
- If the SP requires it, enable SAML functionality.
- Keep the SP information handy when you start configuring the SSO connector in JumpCloud.
To configure JumpCloud
- Log in to the JumpCloud Admin Portal.
- Go to User Authentication > SSO Applications.
- Click + Add New Application and click Select on the Custom Application tile.
- Click Next and then select Manage Single Sign-On (SSO).
- Select to either Configure SSO with SAML or Configure SSO with OIDC.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
- Click Save Application then Configure Application.
- Select the SSO tab.
- You can populate required connector fields for a SP application by:
- Clicking Upload Metadata button. Note where the file is downloaded and then upload it to the SP.
- Take a screenshot of the window and then use it to manually populate connector field data. See SSO Application Fields.
- Add any additional ACS URLs.
- By default, the SAMLSubject’s NameID is email, but can be changed to username, firstname, lastname, or description.
Only change this value if the SP requires a NameID other than email.
- SAMLSubject NameID Format is the format that will be sent for the SAMLSubject’s NameID.
Only change this value if the SP requires a specific NameID format.
- By default, the Signature Algorithm is RSA-SHA256. If necessary, it can be changed to RSA-SHA1.
- By default, SAML authentication responses are signed. You may add additional security by choosing to sign SAML authentication assertions or both SAML authentication responses and assertions.
- Add any additional User, Constant, or Group attributes that are required for SAML/SSO. If you’d like, you can add more than what is required, but make sure the SP supports them.
- Click activate to save and activate the connector. After the application is activated, a public certificate and private key pair are generated for the application.
- Download the certificate if you need to upload it to the SP.
- Open the application and click Export Metadata or Copy Metadata URL if the SP needs metadata to complete setup.
To configure the SP
- Create the JumpCloud connector.
- Upload JumpCloud’s metadata file to the SP. This populates the SAML attributes in the SP. To export JumpCloud metadata, go to User Authentication > SSO Applications, then select the option next to the application you need to finish configuring. Click export metadata in the top right corner, save the file, then upload the metadata file to the SP. You can also export JumpCloud metadata by opening an Application’s Details Panel. Expand the Single Sign-on Configuration section, then click Export Metadata under JumpCloud Metadata.
- Follow the SP’s requirements for certificate uploads.
- Save the SP configuration settings.
Configuring JIT Provisioning
Important Considerations
- Not all SPs support JIT provisioning.
- Determine if JIT provisioning is inherently enabled in the SP or if you need to manually enable it.
- Understand what attributes are required from the SP for JIT provisioning. You can find this information in the SP’s documentation or by reaching out to the SP’s customer success team.
To use JIT provisioning with the SAML 2.0 Connector
- Log in to the JumpCloud Admin Portal.
- Go to User Authentication > SSO Applications.
- Select a configured Custom SAML Application or click + Add New Application to configure a new application.
If you select to configure a new application, follow the instructions in SSO Application Connector Fields first.
- Configure the required JIT attributes in JumpCloud.
- Click save.
Group Attributes
- Groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the SP’s name of the group attribute (e.g. memberOf).
- If the Group Attribute option is selected and the field is pre-populated with the group attribute name, that means we’ve validated that the group attribute is supported by the SP. If the group attribute option isn’t selected and the Group Attribute Name field is empty, you will need to contact your SP if group attributes are supported.
When you select the group attribute option for a connector, you must include a Groups Attribute Name. You'll receive an error when you attempt to activate the connector if you select this option and leave Groups Attribute Name blank.
- Group attributes may be used in some SPs to map roles.