Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. If you don’t see a connector for an application that your organization uses, you can connect it to JumpCloud with the custom SAML 2.0 Connector. Also known as the Custom SAML App, this connector can be used with any application that supports SAML-based SSO. Be aware that you need in-depth knowledge of the Service Provider’s (SP) SAML compatibility and requirements to use the SAML 2.0 connector.
Read this article to learn how to configure the Custom SAML 2.0 Application Connector.
Read the SAML Configuration Notes before you start configuring this connector.
Prerequisites
- A JumpCloud administrator account.
- JumpCloud SSO Package or higher or SSO add-on feature.
- An account with appropriate permissions to set up SAML in the SP.
- A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
- Service providers can differ in their behavior, especially when it comes to existing user accounts. Make sure you understand all of the steps you need to take on the SP side for SSO and JIT provisioning.
Configuring the Custom SAML 2.0 Connector
To gather information from the Service Provider (SP)
- Find out if metadata is available from the SP. If metadata is available, download it so that you can use it to configure the connector in JumpCloud.
- Determine the attributes that are required for SAML/SSO.
- If the SP requires it, enable SAML functionality.
- Keep the SP information handy when you start configuring the SSO connector in JumpCloud.
To configure JumpCloud
- Log in to the JumpCloud Admin Portal.
- Go to User Authentication > SSO Applications.
- Click + Add New Application:
- Click Select on the Custom Application tile, OR
- Search for Custom SAML App
- Click Next.
If you search for and select Custom SAML app, SSO features are pre-selected.
- Select Manage Single Sign-On (SSO), select either the Configure SSO with SAML or Configure SSO with OIDC radio button and click Next.
- In the Display Label, type a name for the application. This is the name that will be shown to users in the User Portal.
- Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show this application in User Portal. Under Advanced Settings, you can specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application and then Configure Application.
- You can populate required connector fields for a custom SAML application by:
- Clicking the Upload Metadata button - browse to and upload the SP metadata file.
- Manually populating connector field data. See SSO Application Fields.
- Add any additional ACS URLs.
- Click Replace SP Certificate, if necessary.
- By default, the SAMLSubject’s NameID is email, but can be changed to any of the attributes in the dropdown list, including a custom attribute.
Only change this value if the SP requires a NameID other than email.
- SAMLSubject NameID Format is the format that will be sent for the SAMLSubject's NameID. Select any of the values in the dropdown list.
Only change this value if the SP requires a specific NameID format.
- The Signature Algorithm by default is RSA-SHA256. If necessary, it can be changed to RSA-SHA1.
- By default, SAML Authentication Responses are signed. You may add additional security by choosing to sign SAML Authentication Assertions or both SAML Authentication Responses and Assertions.
- Optionally, you can add a Default Relay State.
- For SP-initiated only authentication, you must add a Login URL.
- Optionally, select Declare Redirect Endpoint.
- Add any additional User, Constant, or Group Attributes that are required for SAML/SSO. If you’d like, you can add more than what is required, but make sure the SP supports them.
- Click save to update the connector. After the application is activated, a public certificate and private key pair are generated for the application.
- Download the certificate if you need to upload it to the SP.
- Open the application and click Export Metadata or Copy Metadata URL if the SP needs metadata to complete setup.
To configure the SP
- Create the JumpCloud application in the SP.
- Upload JumpCloud’s metadata file to the SP. This populates the SAML attributes in the SP.
- Follow the SP’s requirements for certificate uploads.
- Save the SP configuration settings.
Configuring JIT Provisioning
Important Considerations
- Not all SPs support JIT provisioning.
- Determine if JIT provisioning is inherently enabled in the SP or if you need to manually enable it.
- Understand what attributes are required from the SP for JIT provisioning. You can find this information in the SP’s documentation or by reaching out to the SP’s customer success team.
To use JIT provisioning with the SAML 2.0 Connector
- Log in to the JumpCloud Admin Portal.
- Create a new application or select your Custom SAML app from the Configured Applications list.
If you select to configure a new application, follow the instructions in SSO Application Connector Fields first.
- Configure the required JIT attributes in JumpCloud.
- Click save.
Group Attributes
- Groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the SP's name of the group attribute (e.g. memberOf).
- If the Group Attribute option is selected and the field is pre-populated with the group attribute name, that means we’ve validated that the group attribute is supported by the SP. If the group attribute option isn’t selected and the Group Attribute Name field is empty, you will need to contact your SP if group attributes are supported.
When you select the group attribute option for a connector, you must include a Groups Attribute Name. You'll receive an error when you attempt to activate the connector if you select this option and leave Groups Attribute Name blank.
- Group attributes may be used in some SPs to map roles.