[Notification] We're upgrading the JumpCloud Support Center the week of September 16th.

Support Center

Getting Started: Applications (SAML SSO)

JumpCloud's Directory-as-a-Service gives organization employees access to supported applications through their JumpCloud® credentials. This centralized method of identity uses one set of employee credentials to gain access to all applications, versus creating individual log-ins for each individual application. This Single Sign On (SSO) workflow lets the JumpCloud-managed identity be asserted via the SAML protocol to an application.

This getting started guide provides a general overview of the JumpCloud's SSO workflow. SAML configuration guides for each of the application service providers supported by JumpCloud can be found in the Applications (SAML SSO) section of the JumpCloud Knowledge Base. Find a specific SSO configuration guide by searching for an application's name in the search bar at the top of the page.

This KB covers:

How to Use SAML (SSO) Applications with JumpCloud


1 - Select an App - Select an application you want to connect with JumpCloud through SAML 2.0-based SSO. You may see some applications in the list with a Beta flag. We're evaluating these connectors in various real-world environments so we can gather feedback to enhance their performance. 

Tip: You can connect on-prem/legacy applications that use LDAP to JumpCloud's LDAP services. See Using JumpCloud's LDAP-as-a-Service.

2 - Configure Your App - You can set various SAML configurations, with JumpCloud acting as the app's "IDP" or identity provider. Each application connector has explicit instructions required to establish the connection. Refer to an application's SAML / SSO connection documentation for information on setting up your application to integrate with JumpCloud.

Upload a Metadata File

You can upload service provider application XML metadata files to populate connector attributes for applications.

To apply a metadata file for an application you’re connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You’ll see a confirmation of a successful upload.

Be aware that if you upload more than one metadata file, you’ll overwrite the attribute values applied in the previously uploaded file.

3 - Connect Your App to a User Group -  After you connect the application to JumpCloud, you can connect it to user groups. Members of connected groups gain access to the application through SAML. They see the application icon in their User Portal Applications panel. Many SP applications allow users to login from their application. If users login from the application, they are redirected to JumpCloud for SAML authentication.


Setting up SAML-based SSO with an Application

To connect an application to JumpCloud:
  1. Log in to the JumpCloud Admin Portal:  https://console.jumpcloud.com/login.
  2. Go to Applications, then click ( + ).  The Configure New Application panel appears.
  3. Search for an application by name using the search bar at the top of the panel.
  4. When you find the application you want to connect, click configure.

The application panel appears. 

Tip: If there isn't a connector for an application you want to connect to JumpCloud, you can use the SAML 2.0 connector to connect the application to JumpCloud. 

JumpCloud uses the SAML 2.0 protocol as its method to assert identities with application service providers. JumpCloud is considered the Identity Provider or IdP. The application is considered the Service Provider, or SP.

Configuring Authentication from the Application Service Provider

The service provider (SP) typically provides SAML configuration parameters to set up SSO from a compatible IdP like JumpCloud.

The following image shows Salesforce's instructions for setting up the Marketing Cloud for SAML SSO.


Managing Employee Access to Applications

Users are implicitly denied access to all JumpCloud resources, including applications. JumpCloud admins must explicitly grant access to SSO applications through user groups.

To grant access to a user group:
  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. If you haven't already created a user group, create a new group.
  3. If the group exists, in the Admin Portal, go to Groups
  4. Select the user group you want to grant access to the SSO application.
  5. On the Group panel, click the Applications tab.
  6. In the list of SSO applications, select the application, then click save group


End User Experience

After you configure both the IdP and SP for SSO, employees can access the applications in two ways:

IdP Initiated

For IdP initiated SSO, users access an SP application from the JumpCloud User Portal.

User workflow for IdP initiated SSO:
  1. Log in to the JumpCloud User Portal: https://console.jumpcloud.com/
  2. Go to Applications.
  3. Click an application icon to launch the application. JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application. 


SP Initiated

For SP initiated SSO, users accesses an SP application from the SP application's login.

Note: SP initiated SSO isn't supported by all SP applications.

User workflow for SP initiated SSO:
  1. Go to the SP application login.
  2. Generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO. This varies by SP.
  3. Login redirects the user to JumpCloud. The user enters their JumpCloud credentials.
  4. After the user is logged in successfully, they are redirected back to the SP and automatically logged in.

Last Updated: Jul 03, 2019 10:02AM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found