Authorize users to an SSO application
To generate a public certificate/private key pair using OpenSSL
JumpCloud's SSO SAML connectors allow for use of either SHA1 or SHA256 certificates depending on what is supported by the service provider. We generally suggest SHA256 for security purposes, if this is supported within your configuration. To create a private key, then create a public certificate for that private key you may use for the example below. Within a terminal for Linux or Mac, use the following commands:
openssl genrsa -out private.pem 2048 openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095An example of the expected output:
# openssl genrsa -out private.pem 2048 Generating RSA private key, 2048 bit long modulus ..................+++ .+++ e is 65537 (0x10001) # openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address :To determine the SHA256 Fingerprint for the public certificate
openssl x509 -sha256 -in cert.pem -noout -fingerprint
To determine the SHA1 Fingerprint for the public certificate
openssl x509 -sha1 -in cert.pem -noout -fingerprint SHA1 Fingerprint=1A:29:04:1E:75:C2:5B:DF:FA:6D:CE:4F:6A:6E:66:C9:9E:0D:2E:76
For Windows 10 UsersWe have provided steps below for using a Windows-based OpenSSL binary to generate a TLS/SSL Certificate to use with your Office 365 SAML application.
1. Download the following Windows-OpenSSL binary from https://indy.fulgan.com/SSL/ (Referenced from https://wiki.openssl.org/index.php/Binaries
2. Extract the zip file to a convenient directory. Please note the directory as you will need to place the following openssl.cnf file into the same location as the extracted binary.
3. Download the "openssl.cnf" template file referenced at the bottom of the "SAML Configuration Notes" knowledge base article.
Note: Here is the direct link to download the "openssl.cnf" file.
4. Place the "openssl.cnf" file in the same directory as the extracted OpenSSL binary file (the openssl application file).
5. Right click the openssl application (openssl.exe) from within the folder and run as Administrator . You may need to confirm that you would like to run this application due to Windows Defender by selecting "More Info" and "Run Anyway". This will open up a Windows command window with the OpenSSL> prompt.
6. From the OpenSSL> command prompt, please run the following commands to generate a new private key and public certificate.
OpenSSL> genrsa -out myprivatekey.pem 2048 OpenSSL> req -new -x509 -key myprivatekey.pem -out mypublic_cert.pem -days 3650 -config .\openssl.cnf
You'll be asked to fill out a form to complete the certificate creation. It will appear similar to the text below:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [My Company]: Organizational Unit Name (department, division) : Email Address : Locality Name (city, district) [My Town]: State or Province Name (full name) [State or Providence]: Country Name (2 letter code) [US]: Common Name (hostname, IP, or your name) :
Note this command will create a certificate that expires in 1095 days. A new pair will need to be generated prior to expiration to prevent loss of access to the Service Provider.
Authorize users to an SSO application
For organizations using Groups, all users are implicitly denied access to the application.
To grant access to the application using Group binding:
- Create a Group of users that should have access to the Application
- Edit the Group Configuration
- On the Applications tab, select the Application(s) the Group of users should have access to. Applications will not appear until the connector has been activated.