- A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
- After you connect an application to JumpCloud, you can connect it to user groups. Users in the groups you connect can access the application through SAML SSO.
- You can configure how often users need to log in to their applications and User Portal.
Configuring an Application Connector
To find and configure a connector in JumpCloud:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to Applications.
- Click ( + ) to configure a new application.
- Search for the application you want to connect to JumpCloud.
- Click configure to the right of the application’s name.
- You can automatically populate required connector fields for a Service Provider application by clicking the Upload Metadata button. To manually populate connector field data, refer to the SAML Connector Fields section.
- Click activate to save and activate the connector. After the application is activated, a public certificate and private key pair are generated for the application.
Configuring the Service Provider Application
Refer to your application’s SAML SSO documentation for instructions on configuring the application to connect with JumpCloud. You can typically find this documentation by searching the application help for “SAML.”
SAML Connector Fields
SAML connectors can have various editable fields and configurations. Not all fields are required or are included for every application connector. The following section describes all SAML connector fields.
- Display Label - Provide a label to guide administrators and users to the application. This value is shown next to the application’s icon on the Applications page in the JumpCloud Admin Portal. Additionally, it appears underneath the application icon in the JumpCloud User Portal.
- Service Provider Metadata - You can upload a service provider application’s XML metadata file to populate SAML 2.0 connector attributes for that application. The attributes populated by the metadata file may vary by application.
To apply a metadata file for the application you’re connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You’ll see a confirmation of a successful upload.
Be aware that if you upload more than one metadata file, you’ll overwrite the attribute values applied in the previously uploaded file.
- IdP Entity ID This is the unique, case-sensitive identifier used by JumpCloud for this service provider. Most service providers require this value during the configuration in their applications. This value is commonly referred to by service providers as the Issuer, Identifier, Identity Provider, or IdP Entity ID. Should the service provider require it, please ensure that you enter the same value in both JumpCloud and the service provider’s application.
- SP Entity ID - This is the unique, case-sensitive identifier used by this service provider. The service provider will likely supply you with this value and may refer to it as the Audience, Entity ID, Identifier, Service Provider Issuer, or Audience Restriction. If the service provider supplies its metadata file, the SP Entity ID is the entityID attribute value of the EntityDescriptor element.
- ACS URL - This is the endpoint to which JumpCloud will send SAML Responses (containing Assertions.) The service provider will supply you with this value and may refer to it as the Destination, Recipient, SAML Assertion Endpoint URL, ACS URL, Assertion Consumer Service URL, or Consume URL. If the service provider supplies its metadata file, the ACS URL is the location attribute value of the AssertionConsumerService element.
- SP Certificate - This is the public certificate used to validate the digital signature on this service provider's SAML Requests. If you can download the service provider’s public certificate, please do so and upload it here. If you have the service provider’s metadata file, it may contain the certificate in the X509 Certificate element. If so, you may copy and paste the certificate contents into a file and upload it to your JumpCloud configuration. Ensure that the service provider’s certificate is Base64 encoded before you upload it.
- SAMLSubject NameID - This is the user identifier that will be sent as the SAMLSubject's NameID. Only change this value if the service provider requires a NameID other than email.
- SAMLSubject NameID Format - This is the format that will be sent for the SAMLSubject's NameID. Only change this value if the service provider requires a specific NameID format.
- Constant Attributes - Configure any constant-value attributes to be sent to the service provider in assertions. The same values will be sent for all users. For example, a constant attribute for session duration limits session times for all users of the application, or service provider.
Click add attribute to add a constant attribute. To remove an attribute, click - .
- User Attributes - Configure user attributes to be sent to the service provider in assertions. User attributes are unique to each user. You can include attributes for standard user detail attributes or for custom attributes. For example, you can include standard attributes for users’ employee ID and department, or you can include a custom attribute for users’ application ID. Standard attributes are configured in the User Panel Details tab's User Information and Employee Information sections. To learn how to configure user attributes and custom user attributes for SAML connectors, see this KB.
- Include Group Attribute. Select to include the groups a user is a member of in SAML assertions. When this option is selected, all groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the service provider's name of the group attribute. By default, the attribute name is memberOf.
When this option is selected, you must include a Groups Attribute Name. You'll receive an error when you attempt to activate (create) or save (edit) the connector if you select this option and leave Groups Attribute Name blank.
- Sign Assertion - Signing a SAML Response or SAML assertion ensures message integrity when the the response/assertion is delivered to the relying service provider. If the service provider requires only the assertion to be signed, select this option. Otherwise, leave the option clear and the entire response (including the assertion) will be signed.
- Default RelayState - Enter a value that designates the default location to which your users will be redirected after single sign-on is complete. It will be sent by JumpCloud as the RelayState either in IdP-initiated SSO or if no RelayState is received from the service provider during SP-initiated flow. The service provider may supply you with this value and refer to it as the Target URL, RelayState, or Target.
- IdP-Initiated URL - If the service provider does not support IdP-initiated SSO, you may use the IdP-Initiated URL to force users through SP-initiated SSO. Please enter a URL which will begin the SP-initiated SSO flow.
- Declare Redirect Endpoint - Select this option only if the service provider requires that your IdP metadata file contains a redirect endpoint.
- IdP URL - The IdP URL is the location to which the service provider will send SAML requests and at which a user will authenticate. Please change this value to a plaintext string unique to the service provider. The value you input will serve as the end of the IdP URL. The service provider will require the IdP URL and may refer to it as the Identity Provider Target URL, SSO Login URL,Redirect URL, or Identity Provider Endpoint. Please take note of the entire URL (including the portion you edited) for later use.