- You must generate a public certificate and private key pair to connect an application to JumpCloud. See SAML Configuration Notes to learn how to do this.
- Users are implicitly denied access to applications. After you connect an application to JumpCloud, you must grant users access to that application. See User authorization to learn how to do this.
- You can configure how often users need to log in to their applications and User Portal. Learn more about User Portal Session Duration here.
If you don’t see a connector for an application that your organization uses, you can connect it to JumpCloud with the SAML 2.0 Connector. This connector can be used with any application that supports SAML-based SSO. Be aware that you need in-depth knowledge of the service provider’s SAML compatibility and requirements to use the SAML 2.0 connector.
To find and configure the connector:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to Applications.
- Click ( + ) to configure a new application.
- You'll see SAML at the top of the list of applications. Click configure.
Though the SAML connector has many editable fields and configurations, not all fields may be required for an application. Each of the connector’s fields is described in the following section, SAML 2.0 Connector Fields. For details about a field in the UI, hover over the ( i ) icon.
SAML 2.0 Connector Fields
- Display Label (Required) - Provide a label to guide administrators and users to the application. This value is shown next to the application’s icon on the Applications page in the JumpCloud Admin Portal. Additionally, it appears underneath the application icon in the JumpCloud User Portal.
- Display Option (Optional) - This option lets you visually differentiate SAML 2.0 connectors in the JumpCloud Admin and User Portals. Select a color for the application icon. The application icon is shown in the color you select, with the application display name’s first letter, as shown in the following image of the User Portal:
In the User Portal, you can hover over the icon to view the application’s full display name.
In the Admin Portal’s Applications list, this icon is displayed next to the application’s display name, as shown in the following image:
Alternately, you can select the SAML 2.0 icon instead of a color.
- Service Provider Metadata (Optional) - You can upload a service provider application’s XML metadata file to populate SAML 2.0 connector attributes for that application. The attributes populated by the metadata file may vary by application.
To apply a metadata file for the application you’re connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You’ll see a confirmation of a successful upload.
Be aware that if you upload more than one metadata file, you’ll overwrite the attribute values applied in the previously uploaded file.
- IdP Entity ID (Required) This is the unique, case-sensitive identifier used by JumpCloud for this service provider. Most service providers require this value during the configuration in their applications. This value is commonly referred to by service providers as the Issuer, Identifier, Identity Provider, or IdP Entity ID. Should the service provider require it, please ensure that you enter the same value in both JumpCloud and the service provider’s application.
- SP Entity ID (Required) - This is the unique, case-sensitive identifier used by this service provider. The service provider will likely supply you with this value and may refer to it as the Audience, Entity ID, Identifier, Service Provider Issuer, or Audience Restriction. If the service provider supplies its metadata file, the SP Entity ID is the entityID attribute value of the EntityDescriptor element.
- ACS URL (Required) - This is the endpoint to which JumpCloud will send SAML Responses (containing Assertions.) The service provider will supply you with this value and may refer to it as the Destination, Recipient, SAML Assertion Endpoint URL, ACS URL, Assertion Consumer Service URL, or Consume URL. If the service provider supplies its metadata file, the ACS URL is the location attribute value of the AssertionConsumerService element.
- SP Certificate (Optional) - This is the public certificate used to validate the digital signature on this service provider's SAML Requests. If you can download the service provider’s public certificate, please do so and upload it here. If you have the service provider’s metadata file, it may contain the certificate in the X509 Certificate element. If so, you may copy and paste the certificate contents into a file and upload it to your JumpCloud configuration. Ensure that the service provider’s certificate is Base64 encoded before you upload it.
- SAMLSubject NameID (Required) - This is the user identifier that will be sent as the SAMLSubject's NameID. Only change this value if the service provider requires a NameID other than email.
- SAMLSubject NameID Format (Required) - This is the format that will be sent for the SAMLSubject's NameID. Only change this value if the service provider requires a specific NameID format.
- Constant Attributes (Optional) - Configure any constant-value attributes to be sent to the service provider in assertions. The same values will be sent for all users. For example, a constant attribute for session duration limits session times for all users of the application, or service provider.
Click add attribute to add a constant attribute. To remove an attribute, click - .
- User Attributes (Optional) - Configure user attributes to be sent to the service provider in assertions. User attributes are unique to each user. You can include attributes for standard user detail attributes or for custom attributes. For example, you can include standard attributes for users’ employee ID and department, or you can include a custom attribute for users’ application ID. Standard attributes are configured in the User Panel Details tab's User Information and Employee Information sections. To learn how to configure user attributes and custom user attributes for SAML connectors, read this KB.
- Include Group Attribute. Select to include the groups a user is a member of in SAML assertions. When this option is selected, all groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the service provider's name of the group attribute. By default, the attribute name is memberOf.
When this option is selected, you must include a Groups Attribute Name. You'll receive an error when you attempt to activate (create) or save (edit) the connector if you select this option and leave Groups Attribute Name blank.
- Sign Assertion (Optional) - Signing a SAML Response or SAML assertion ensures message integrity when the the response/assertion is delivered to the relying service provider. If the service provider requires only the assertion to be signed, select this option. Otherwise, leave the option clear and the entire response (including the assertion) will be signed.
- Default RelayState (Optional) - Enter a value that designates the default location to which your users will be redirected after single sign-on is complete. It will be sent by JumpCloud as the RelayState either in IdP-initiated SSO or if no RelayState is received from the service provider during SP-initiated flow. The service provider may supply you with this value and refer to it as the Target URL, RelayState, or Target.
- IdP-Initiated URL (Optional) - If the service provider does not support IdP-initiated SSO, you may use the IdP-Initiated URL to force users through SP-initiated SSO. Please enter a URL which will begin the SP-initiated SSO flow.
- Declare Redirect Endpoint (Optional) - Select this option only if the service provider requires that your IdP metadata file contains a redirect endpoint.
- IdP URL (Required) - The IdP URL is the location to which the service provider will send SAML requests and at which a user will authenticate. Please change this value to a plaintext string unique to the service provider. The value you input will serve as the end of the IdP URL. The service provider will require the IdP URL and may refer to it as the Identity Provider Target URL, SSO Login URL,Redirect URL, or Identity Provider Endpoint. Please take note of the entire URL (including the portion you edited) for later use.