Skip to main content

Tutorial: How to Configure SAML with JumpCloud

Abstract

This is a step-by-step guide for configuring SAML on Access Server with Okta.

Overview

Access Server 2.11 and newer supports authentication using SAML with JumpCloud as the identity provider. You can configure this in JumpCloud with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users and groups from JumpCloud to Access Server.

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

With JumpCloud, you must create a custom SAML application.

Now that you have your SP information, you can create a new JumpCloud SAML app and enter that information during app creation:

  1. Sign in to your JumpCloud admin portal.

  2. Under User Authentication, click SSO.

  3. Click + to add a new SSO app.

  4. Click Custom SAML App.

  5. Provide a Display Label and optional application information and click the SSO tab.

  6. Use the SP information from Access Server to enter the following into the JumpCloud app:

    1. IdP Entity ID: Enter the JumpCloud URL, https://console.jumpcloud.com.

    2. SP Entity ID: Enter the Access Server SP Identity.

    3. ACS URL: Enter the Access Server SP ACS.

    4. SAMLSubject NameID: Select email.

    5. SAMLSubject NameID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.

    6. Signature Algorithm: Select RSA-SHA256.

    7. Default RelayState: Enter 'cws' for the Client Web UI or 'profile' to provide users with a downloadable profile. (See "How to set up IdP-initiated flow" below for more details.)

    8. Check the box for Declare Redirect Endpoint.

    9. IdP URL should be https://sso.jumpcloud.com/saml2/saml2.

  7. Click the User Groups tab and assign user groups to the SSO app.

  8. Click activate.

Option 1: Download the JumpCloud metadata file for automatic configuration

  1. With your new app, click the SSO tab.

  2. Under JumpCloud Metadata, click Export Metadata.

Option 2: Copy the JumpCloud SAML data for manual configuration

  1. With your new app, click the SSO tab.

  2. Copy the contents in IdP Entity ID, IDP URL, and click IDP Certificate Valid to download the certificate in PEM format.

The simplest way to set up JumpCloud SAML for Access Server is to provide the metadata XML file (option 1), but you can also manually configure it (option 2).

Option 1: Upload the JumpCloud metadata file in the Admin Web UI

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. Click Choose File for Select IdP Metadata File.

  5. Select your JumpCloud metadata XML file, click Upload, and click Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

Option 2: Manually configure JumpCloud SAML

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Manually to expand the section.

  4. Paste the following from JumpCloud to the Access Server fields:

    1. Paste the JumpCloud IDP URL into Access Server’s Sign On Endpoint.

    2. Paste the JumpCloud IdP Entity ID into Access Server’s IdP EntityId.

    3. Paste the JumpCloud certificate.pem into Access Server’s Certificate (PEM format).

    • The IdP fields save.

You can configure an IdP-initiated flow for signing into Access Server from JumpCloud with the following steps:

  1. Sign in to the JumpCloud admin portal.

  2. Click SSO, and click your custom SAML app.

  3. Click the SSO tab and scroll down to the Default RelayState field.

  4. Enter one of the following for Default RelayState:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  5. Save changes.

Your users can now sign in to JumpCloud and find the Access Server SAML application under My Apps.