JumpCloud's Directory-as-a-Service provides the ability for employees of a company to leverage their JumpCloud credentials to securely sign on to supported applications. This provides a centralized method of identity, utilizing one set of employee credentials to gain access to applications, versus creating individual log-ins for each. The implementation provides single sign on (e.g., "SSO") workflow, enabling the JumpCloud-managed identity to be 'asserted' via the SAML protocol to an application. This getting started guide will provide a general overview of the product's SSO workflow, and all SAML configuration guides for each of the application service providers supported by the product can be found here.
How SSO Applications Work
1 - Select an App - Select an application you would like to establish SAML 2.0-based SSO with. Don't forget, if you have on-prem/legacy applications which use LDAP, you may use our LDAP services for those bindings.
2 - Configure Your App - You can set the various SAML configurations, with JumpCloud acting as the app's "IDP" or identity provider. Each application connector has explicit instructions required to establish the connection.
3 - Bind Your App to a User Group - Your app will then be bound to one or more of your User Groups. Members of the group gain access to your app via SAML. They will see the application icon in their User Portal. Many apps allow login from their services where they will be
redirected to JumpCloud for SAML authentication.
Setting up SAML-based SSO with an Application
Within JumpCloud's Administrative Console, the 'Applications' object provides access to create new (+) or manage existing applications:
JumpCloud utilizes the SAML 2.0 protocol as its method to assert identities with application service providers. JumpCloud is considered the "Identity Provider" or "IdP", where the application is denoted as the "Service Provider" or "SP". As a JumpCloud Administrator, clicking on the 'configure' button next to any of the supported SP icons will provide the SAML IdP configuration parameters, Google Apps in this case below:
The SP will typically provide simple-to-input SAML configuration parameters to set up Single Sign On from a compatible IdP like JumpCloud. E.g., Google's Admin Console:
Configuring Authentication from the Application Service Provider
Restricting Employee Access to Applications
Managing user access on a per-application basis is explained in the SAML Configuration Notes.
End User Experience
Once the IdP and SP configurations are complete, employees can gain access to the applications they have been assigned to in two ways:
- IdP-Initiated - Access via the JumpCloud User Portal
- SP-Initiated - Access directly from the application
With IdP initiated access the employee will log in to their JumpCloud User Portal and select the application icon.
- Login to the JumpCloud User Console https://console.jumpcloud.com/
- Under "My applications" and select the appropriate application. JumpCloud will assert the user's identity to the SP and be authenticated without further action.
SP initiated means the user enters through the SP application instead of the JumpCloud user console. Not all SP's support this workflow
- Navigate to the SP
- Generally, there is either a special link or an adaptive username field that detects the user is authenticated via SSO, this varies by SP.
- Login will redirect to JumpCloud. The user will enter their JumpCloud credentials.
- Once logged in successfully, the user will be redirected back to the SP and automatically logged in.