SSO with OIDC

Use JumpCloud OpenID Connect (OIDC) Single Sign On (SSO) to give your users secure and convenient access to their OIDC-capable web applications with a single set of credentials. You can use the Custom OIDC App connector with any application that supports OIDC-based SSO. 

Preconfigured OIDC applications are not currently available in the JumpCloud catalog. For now, you must use the Custom OIDC App to configure OIDC applications. You need in-depth knowledge of the Relying Party’s (RP) OIDC capabilities and requirements to use the OIDC connector. 

 Prerequisites

• The RP application must support a grant type of authorization code.
• You must know the Redirect URI for the application you want to configure with OIDC.
• You must know the Login URL that the RP uses to start the login flow.
• Determine if the app you are configuring can protect a client secret or if it uses a public client.
• Determine any needed claims/attributes that the relying parting wants.

Configure the OIDC Connector for SSO

To find and configure the connector in JumpCloud

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications.
3. Click + Add New Application. There are two options:
   • Type OIDC in the Search field and select it from the dropdown.
     • Click Next.
   • Select Custom Application.
     • Click Next.
     • Select Manage Single Sign-On and then Configure SSO with OIDC
     • Click Next.

4. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

5. Click Next and then Configure Application.
6. In the SSO tab, the following window will appear.

7. In Endpoint Configuration:
   1. Grant Types:
      • Authorization Code is checked by default and cannot be deselected.
      • Refresh Token can be checked at a later time if you wish to refresh your connector’s token.
   2. Enter one or multiple Redirect URIs with the value(s) supplied by the RP.
   3. Select the appropriate Client Authentication Type:
      • Client Secret POST
      • Client Secret Basic
      • Public (None PKCE)

8. Enter the Login URL with the value supplied by the RP.
9. In Attribute Mapping (optional):
   • Add a Standard Scope by selecting Email or Profile.
   • Add User and Constant attributes by clicking Add Attribute.
   • Select include group attribute for claims/attributes that are required for your individual OIDC SSO needs. For more information about claims, see OIDC Attributes (Claims).

10. Under User Consent, Automatically consent is selected by default and cannot be deselected.
11. Click activate.
12. If the client is not a public client, then a window will display the client secret.

13. Click Got It.

To configure the RP

1. Enter the following information to the RP:
   • The application’s OIDC client ID.
   • If the client is not public, the application’s OIDC client secret.
   • JumpCloud’s OIDC well-known config: https://oauth.id.jumpcloud.com/.well-known/openid-configuration

JumpCloud Well-Known OpenID Configuration

• https://oauth.id.jumpcloud.com/.well-known/openid-configuration
• https://oauth.id.jumpcloud.com/.well-known/jwks.json

JumpCloud OpenID Auth Endpoint

• https://oauth.id.jumpcloud.com/oauth2/auth

JumpCloud OpenID Issuer Endpoint

• https://oauth.id.jumpcloud.com/

JumpCloud OpenID Token Endpoint

• https://oauth.id.jumpcloud.com/oauth2/token

JumpCloud OpenID User Info Endpoint

• https://oauth.id.jumpcloud.com/userinfo