Skip to main content

Tutorial: How to Configure SAML with JumpCloud

Abstract

This is a step-by-step guide for configuring SAML on Access Server with JumpCloud.

Overview

Access Server supports authentication using SAML with JumpCloud as the identity provider. You can configure this in JumpCloud with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users and groups from JumpCloud to Access Server.

Prerequisites

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

Step 1: Create the JumpCloud SAML application

With JumpCloud, you must create a custom SAML application.

Now that you have your SP information, you can create a new JumpCloud SAML app and enter that information during app creation:

  1. Sign in to your JumpCloud admin portal.

  2. Under User Authentication, click SSO.

  3. Click + to add a new SSO app.

  4. Click Custom SAML App.

  5. Provide a Display Label and optional application information and click the SSO tab.

  6. Use the SP information from Access Server to enter the following into the JumpCloud app:

    1. IdP Entity ID: Enter the JumpCloud URL, https://console.jumpcloud.com.

    2. SP Entity ID: Enter the Access Server SP Identity.

    3. ACS URL: Enter the Access Server SP ACS.

    4. SAMLSubject NameID: Select email.

    5. SAMLSubject NameID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.

    6. Signature Algorithm: Select RSA-SHA256.

    7. Default RelayState: Enter 'cws' for the Client Web UI or 'profile' to provide users with a downloadable profile. (See "How to set up IdP-initiated flow" below for more details.)

    8. Check the box for Declare Redirect Endpoint.

    9. IdP URL should be https://sso.jumpcloud.com/saml2/saml2.

  7. Click the User Groups tab and assign user groups to the SSO app.

  8. Click activate.

Option 1: Download the JumpCloud metadata file for automatic configuration

  1. With your new app, click the SSO tab.

  2. Under JumpCloud Metadata, click Export Metadata.

Option 2: Copy the JumpCloud SAML data for manual configuration

  1. With your new app, click the SSO tab.

  2. Copy the contents in IdP Entity ID, IDP URL, and click IDP Certificate Valid to download the certificate in PEM format.

Step 2: Configure JumpCloud SAML data with Access Server

The simplest way to set up JumpCloud SAML for Access Server is to provide the metadata XML file (option 1), but you can also manually configure it (option 2).

Option 1: Upload the JumpCloud metadata file in the Admin Web UI

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. Click Click to upload to select your XML file or drag and drop it into the modal window.

    • The Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Option 2: Manually configure JumpCloud SAML

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), manually enter the JumpCloud configuration data into the appropriate fields:

    • Paste the JumpCloud IdP Entity ID into Access Server’s IdP Entity ID.

    • Paste the JumpCloud IdP URL into Access Server’s SSO (Single Sign-On) Endpoint.

    • Paste the JumpCloud certificate.pem into Access Server’s Certificate (PEM format).

  6. Click Save and Restart.

Step 3: Assign SAML as user authentication

You can now enable SAML as the global default authentication or for specific groups and users.Tutorial: SAML user groups

Optional: How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from JumpCloud with the following steps:

  1. Sign in to the JumpCloud admin portal.

  2. Click SSO, and click your custom SAML app.

  3. Click the SSO tab and scroll down to the Default RelayState field.

  4. Enter one of the following for Default RelayState:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  5. Save changes.

Your users can now sign in to JumpCloud and find the Access Server SAML application under My Apps.

Optional: Map SAML group access control

You can automate group assignments for access control rules using a post-authentication Python script.

Refer to the steps in this tutorial:

In this section: