The following terms are used frequently:<\/p>\n\n\n\n
- \n
- Service Provider (SP)<\/strong>: A resource like a webpage or an app that you want to access.<\/li>\n\n\n\n
- Identity Provider<\/strong> (IdP)<\/strong>: A service that can authenticate you.<\/li>\n\n\n\n
- Principal (User)<\/strong>: The JumpCloud customer using this technology. <\/li>\n\n\n\n
- Single Sign On (SSO)<\/strong>: A session and user authentication service that permits a user to use one set of login credentials such as a username and password to access multiple applications. <\/li>\n\n\n\n
- Security Assertion Markup Language<\/strong> (SAML)<\/strong>: An open standard that defines a XML-based framework for exchanging authentication and authorization information between an identity provider (IdP) and a service provider (SP), to enable web-based single sign-on (SSO). While there are earlier versions of SAML, JumpCloud only supports SAML 2.0.<\/li>\n<\/ul>\n\n\n\n
<\/a>How SSO Works<\/h2>\n\n\n\n
Service Provider (SP) Initiated SSO<\/strong>:<\/p>\n\n\n\n
- \n
- A user accesses the SP\u2019s SAML application.<\/li>\n\n\n\n
- The SP sends the user to the IdP for authentication.<\/li>\n\n\n\n
- If the user isn\u2019t already logged in, the IdP authenticates the user. <\/li>\n\n\n\n
- The IdP sends a response to the SP with the assertion for the user.<\/li>\n\n\n\n
- The user is successfully authenticated using SAML SSO.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nThis example does not include the workflow for JIT or Just-In-Time Provisioning<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Identity Provider (IdP) Initiated SSO<\/strong>:<\/p>\n\n\n\n
- \n
- A user accesses their IdP login page or dashboard.<\/li>\n\n\n\n
- If the user isn\u2019t logged in yet, the IdP interacts with the user to provide authentication.<\/li>\n\n\n\n
- The user selects the SAML application they want to access.<\/li>\n\n\n\n
- The IdP sends a response to the SP with the assertion for the user.<\/li>\n\n\n\n
- The user is successfully authenticated using SAML SSO.<\/li>\n<\/ol>\n\n\n\n
<\/a>SAML\/SSO Troubleshooting in JumpCloud<\/h2>\n\n\n\n
Service providers can differ in their SAML\/SSO configurations, features, and functionality. Use the troubleshooting tips we provide and refer to the support pages provided by the SP vendor.<\/p>\n\n\n\n
Take a moment to compare settings.<\/strong><\/p>\n\n\n\n
Review your current configuration against the configuration the SP recommends in their documentation. <\/p>\n\n\n\n
Does your SP actually support SAML 2.0?<\/strong><\/p>\n\n\n\n
It\u2019s rare but some SPs support other versions of SAML.<\/p>\n\n\n\n
Is your certificate valid?<\/strong><\/p>\n\n\n\n
- \n
- JumpCloud SAML SSO connectors support SHA-256 certificates by default. Although JumpCloud supports SHA-1 certificates, if the service provider supports it, we recommend using SHA-256 for stronger security.<\/li>\n\n\n\n
- Some Service Providers want you to include the ===begin certificate===<\/kbd> and ===end certificate===<\/kbd> headers and footers when you add the certificate; others don\u2019t. Confirm the requirements for this.<\/li>\n<\/ul>\n\n\n\n
Are you using optional attributes?<\/strong><\/p>\n\n\n\n
- \n
- Make sure your attributes are supported by the service provider.<\/li>\n\n\n\n
- Make sure the attributes are mapped properly to JumpCloud attributes and vice versa.<\/li>\n<\/ul>\n\n\n\n
Can you successfully configure the SP using the GENERIC SAML 2.0 connector?<\/strong><\/p>\n\n\n\n
If so, there\u2019s an issue with the pre-built connector. See SSO using Custom SAML Application Connectors<\/a>.<\/p>\n\n\n\n
Did you remember to give your users access to the SSO application in the JumpCloud Admin Console?<\/strong><\/p>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you must authorize user access to that application. See Authorize Users to an SSO App<\/a>. <\/p>\n\n\n\n
How is the workflow being initiated?<\/strong><\/p>\n\n\n\n
SP initiated SSO isn’t supported by all applications. Confirm with your Service Provider vendor that it can support this functionality. If the SP doesn\u2019t support SP-Initiated SSO, it may support IdP-Initiated SSO.<\/p>\n\n\n\n
Why isn’t JIT working?<\/strong><\/p>\n\n\n\n
- \n
- Does it work with existing users? This is a good test to ensure that the authentication is working as expected, then move onto troubleshooting the Just-in-Time (JIT) provisioning.<\/li>\n\n\n\n
- Not all SPs currently support Just-In-Time Provisioning (JIT). Confirm with your SP vendor that JIT is supported.<\/li>\n<\/ul>\n\n\n\n
What, if any, information are you getting from error messages?<\/strong><\/p>\n\n\n\n
- \n
- The error messages returned provide a good starting point for troubleshooting if everything else seems to be correct or as expected. Sometimes the service provider has information on specific errors that are returned.<\/li>\n\n\n\n
- Some SPs do provide a SAML logging tool, so you can actually see why SAML SSO failed.<\/li>\n\n\n\n
- You can also Google your error message and find helpful information.<\/li>\n\n\n\n
- See the following table for common error messages:<\/li>\n<\/ul>\n\n\n\n\n
SAML SSO Error Mesages<\/h3>\n
\n
- Identity Provider<\/strong> (IdP)<\/strong>: A service that can authenticate you.<\/li>\n\n\n\n