JumpCloud's Directory-as-a-Service gives organization employees the ability to use their JumpCloud credentials to securely sign on to supported applications. This provides a centralized method of identity, utilizing one set of employee credentials to gain access to applications, versus creating individual log-ins for each. The implementation provides a single sign-on (SSO) workflow, enabling the JumpCloud-managed identity to be asserted via the SAML protocol to an application. This getting started guide provides a general overview of the JumpCloud's SSO workflow. SAML configuration guides for each of the application service providers supported by JumpCloud can be found in the Applications (SAML SSO) section of the JumpCloud Knowledge Base. Find a specific SSO configuration guide by searching for an application's name in the search bar at the top of the page.
How SSO Applications Work
1 - Select an App - Select an application you would like to establish SAML 2.0-based SSO with. Don't forget, if you have on-prem/legacy applications which use LDAP, you may use our LDAP services for those bindings.
2 - Configure Your App - You can set the various SAML configurations, with JumpCloud acting as the app's "IDP" or identity provider. Each application connector has explicit instructions required to establish the connection.
3 - Bind Your App to a User Group - Your app will then be bound to one or more of your User Groups. Members of the group gain access to your app via SAML. They will see the application icon in their User Portal. Many apps allow login from their services where they will be
redirected to JumpCloud for SAML authentication.
Setting up SAML-based SSO with an Application
In JumpCloud's Admin Console, the Applications object provides access to create new (+) or manage existing applications:
JumpCloud uses the SAML 2.0 protocol as its method to assert identities with application service providers. JumpCloud is considered the "Identity Provider" or "IdP," where the application is denoted as the "Service Provider" or "SP."
Click the configure button next to any of the supported SP icons to configure a SAML connector to that application. The following image shows the Google SAML connector.
The SP will typically provide simple-to-input SAML configuration parameters to set up Single Sign On from a compatible IdP like JumpCloud. The following image shows Google's instructions for setting up SAML SSO.
Configuring Authentication from the Application Service Provider
Restricting Employee Access to Applications
Managing user access on a per-application basis is explained in the SAML Configuration Notes.
End User Experience
After the IdP and SP configurations are complete, employees can gain access to the applications they have been assigned to in two ways:
- IdP-Initiated - Access via the JumpCloud User Portal
- SP-Initiated - Access directly from the application
With IdP initiated access, the employee will log in to their JumpCloud User Portal and select the application icon.
- Login to the JumpCloud User Console: https://console.jumpcloud.com/.
- Under "My applications" and select the appropriate application. JumpCloud will assert the user's identity to the SP and be authenticated without further action.
SP initiated means the user enters through the SP application instead of the JumpCloud user portal. Not all SP's support this workflow.
- Navigate to the SP.
- Generally, there is either a special link or an adaptive username field that detects the user is authenticated via SSO, this varies by SP.
- Login will redirect to JumpCloud. The user will enter their JumpCloud credentials.
- After logged in successfully, the user will be redirected back to the SP and automatically logged in.