{"id":84371,"date":"2023-06-05T13:11:32","date_gmt":"2023-06-05T17:11:32","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=84371"},"modified":"2024-10-30T13:39:30","modified_gmt":"2024-10-30T17:39:30","slug":"get-started-applications-saml-sso","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/get-started-applications-saml-sso","title":{"rendered":"Get Started: SAML Single Sign-on (SSO)"},"content":{"rendered":"\n

This Single Sign-On (SSO) workflow lets the JumpCloud-managed identity be asserted via the SAML protocol to an application. SAML configuration guides for each of the application service providers supported by JumpCloud can be found in the Integrations & Applications section of the JumpCloud Help Center. Find a specific SSO configuration guide by searching for an application’s name in the search bar at the top of the page. <\/p>\n\n\n\n

Using SSO Applications with JumpCloud<\/strong><\/h2>\n\n\n\n

1 – Select an App<\/strong><\/h3>\n\n\n\n

Select an application you want to connect with JumpCloud through SAML 2.0-based SSO.<\/p>\n\n\n\n

You may see some applications in the list with a Beta flag. We’re evaluating these connectors in various real-world environments so we can gather feedback to enhance their performance. <\/p>\n\n\n\n

You may see some applications with a JIT Provisioning label. This signals that you can provision users to that application using Just-In-Time Provisioning.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Some applications use a shared login with the services they provide. For example, the Atlassian connector provides SSO to JIRA, Confluence, and BitBucket. When you search for these applications, the Atlassian connector shows up in the search results because that\u2019s the connector the applications share a login with.<\/p>\n\n\n\n

<\/p><\/div>

Tip:<\/strong> \n

You can connect on-prem\/legacy applications that use LDAP to JumpCloud’s LDAP services. See Use Cloud LDAP<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

If there isn’t a connector for an application you want to connect to JumpCloud, you can use the SAML 2.0 connector<\/a> to connect that app with JumpCloud. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

2 – Configure Your App <\/strong><\/h3>\n\n\n\n

You can set various SAML configurations, with JumpCloud acting as the app’s “IDP,” or identity provider. Each application connector has explicit instructions required to establish the connection. Refer to an application’s SAML \/ SSO connection documentation for information on setting up your application to integrate with JumpCloud. See SSO Application Connector Fields<\/a> for more information about JumpCloud’s configuration options.<\/p>\n\n\n\n

Metadata<\/strong><\/p>\n\n\n\n

You can export metadata to populate connector attributes for applications. <\/p>\n\n\n\n

To apply metadata for an application you\u2019re connecting, click Export Metadata<\/strong>. Note where this is downloaded and then upload it to the service provider. If supported, you can also click Copy Metadata URL<\/strong> and paste it into the service provider’s configuration page.<\/p>\n\n\n\n

<\/p><\/div>

Important:<\/strong> \n

Be aware that if you upload more than one metadata file, you\u2019ll overwrite the attribute values applied in the previously uploaded file.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

3 – Connect Your App to a User Group <\/strong><\/h3>\n\n\n\n

After you connect the application to JumpCloud, you can connect it to user groups. Members of connected groups gain access to the application through SAML. They see the application icon in the User Portal in Applications<\/strong>. Many service provider applications allow users to log in from their application. If users log in from the application, they are redirected to JumpCloud for SAML authentication.<\/p>\n\n\n\n

JumpCloud uses the SAML 2.0 protocol as its method to assert identities with application service providers. JumpCloud is considered the identity provider, or IdP. The application is considered the service provider, or SP.<\/p>\n\n\n\n

Configuring Authentication from the Application Service Provider<\/strong><\/h2>\n\n\n\n

The service provider (SP) typically provides SAML configuration parameters to set up SSO from a compatible IdP like JumpCloud.

The following image shows Salesforce’s instructions<\/a> for setting up the Marketing Cloud for SAML SSO.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Managing Employee Access to Applications<\/strong><\/h2>\n\n\n\n

Users are implicitly denied access to all JumpCloud resources, including applications. JumpCloud admins must explicitly grant access to SSO applications through the use of user groups.<\/p>\n\n\n\n

To grant access to a user group<\/strong><\/h3>\n\n\n\n
    \n
  1. Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
  2. If you haven’t already created a user group, create a new group. See Get Started: User Groups<\/a>.<\/li>\n\n\n\n
  3. If the group exists, in the Admin Portal, go to User Authentication<\/strong> > SSO Applications.<\/strong><\/li>\n\n\n\n
  4. Click on the SSO application.<\/li>\n\n\n\n
  5. On the Application panel, click the User Groups<\/strong> tab.<\/li>\n\n\n\n
  6. Select the user group, then click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n

    End User Experience<\/strong><\/h2>\n\n\n\n

    After you configure both the IdP and SP for SSO, employees can access the applications in two ways:<\/p>\n\n\n\n