Support Center

SAML Configuration Notes

Generate public certificate and private key pair
Authorize users to an SSO application (Tags)
Authorize users to an SSO application (Groups) - If your organization was created after Tuesday, April 11 2017

To generate a public certificate/private key pair using OpenSSL

JumpCloud's SSO SAML connectors allow for use of either SHA1 or SHA256 certificates depending on what is supported by the service provider.  We generally suggest SHA256 for security purposes, if this is supported within your configuration.  To create a private key, then create a public certificate for that private key you may use for the example below.  For SHA1, you may simply change the flag from -sha256 to -sha1 for the execution:
# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
..................+++
.+++
e is 65537 (0x10001)
# openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
To determine the SHA256 Fingerprint for the public certificate
openssl x509 -sha256 -in cert.pem -noout -fingerprint

To determine the SHA1 Fingerprint for the public certificate
openssl x509 -sha1 -in cert.pem -noout -fingerprint
SHA1 Fingerprint=1A:29:04:1E:75:C2:5B:DF:FA:6D:CE:4F:6A:6E:66:C9:9E:0D:2E:76

For Windows users, you can download a precompiled binary referenced in the OpenSSL wiki pages here. E.g., using a binary from https://indy.fulgan.com/SSL/
  • Extract the zip to a working directory
  • Download the example openssl.cnf file attached to this KB and save it to the same working directory; modify the defaults if desired
C:\Program Files\OpenSSL>openssl.exe genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
...................+++
....................................................................................................................
....................................................+++
e is 65537 (0x10001)

C:\Program Files\OpenSSL>openssl.exe  req -new -x509 -key private.pem -out cert.pem -days 1095 -config .\openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [My Company]:
Organizational Unit Name (department, division) []:
Email Address []:
Locality Name (city, district) [My Town]:
State or Province Name (full name) [State or Providence]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) []:
Note this command will create a certificate that expires in 1095 days.  A new pair will need to be generated prior to expiration to prevent loss of access to the Service Provider.
 

Authorize users to an SSO application (Tags)

For organizations using Tags, all users are implicitly allowed to use the application.  

To restrict access to the application using a Tag:
  1. Note the IdP URL name for this app in the Application details, e.g. https://sso.jumpcloud.com/saml2/ConnectorName
  2. Create a new Tag and name it SSO-ConnectorName. Important: This Tag is case sensitive. 
  3. Add users to this Tag who should be given access to the Service provider using Single Sign On. Any other users who are not in this tag will be denied access.


Authorize users to an SSO application (Groups)

For organizations using Groups, all users are implicitly denied access to the application.

To grant access to the application using Group binding:
  1. Create a Group of users that should have access to the Application
  2. Edit the Group Configuration
  3. On the Applications tab, select the Application(s) the Group of users should have access to. Applications will not appear until the connector has been activated.
Attachments
 

Last Updated: Jul 27, 2017 12:28PM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete