How to configure SAML with JumpCloud

Upgrade to Latest Version

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with JumpCloud as the identity provider. You can configure this in JumpCloud with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from JumpCloud to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the JumpCloud SAML application

With JumpCloud, you must create a custom SAML application.

First, gather information about your Access Server as the service provider (SP).

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    1. SP Identity.
    2. SP ACS.

Now that you have your SP information, you can create a new JumpCloud SAML app and enter that information during app creation:

  1. Sign in to your JumpCloud admin portal.
  2. Under User Authentication click SSO.
  3. Click + to add a new SSO app.
  4. Click Custom SAML App.
  5. Provide a Display Label and optional application information and click the SSO tab.
  6. Use the SP information from Access Server to enter the following into the JumpCloud app:
    1. IdP Entity ID: Enter the JumpCloud URL, https://console.jumpcloud.com.
    2. SP Entity ID: Enter the Access Server SP Identity.
    3. ACS URL: Enter the Access Server SP ACS.
    4. SAMLSubject NameID: Select email.
    5. SAMLSubject NameID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.
    6. Signature Algorithm: Select RSA-SHA256.
    7. Default RelayState: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (For more details, refer to “How to set up IdP-initiated flow” below.)
    8. Check the box for Declare Redirect Endpoint.
    9. IDP URL should be https://sso.jumpcloud.com/saml2/saml2.
  7. Click the User Groups tab and assign user groups to the SSO app.
  8. Click activate.

To download the JumpCloud metadata file for automatic configuration (option 1):

  1. With your new app, click the SSO tab.
  2. Under JumpCloud Metadata, click Export Metadata.

To copy the JumpCloud SAML data for manual configuration (option 2):

  1. With your new app, click the SSO tab.
  2. Copy the content in IdP Entity ID, IDP URL, and click IDP Certificate Valid to download the certificate in PEM format.

Step 2: Configure JumpCloud SAML data with Access Server

The simplest way to set up JumpCloud SAML for Access Server is by providing the metadata XML file (option 1), but you can also manually configure (option 2).

To upload the JumpCloud metadata file in the Admin Web UI (option 1):

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. Click Choose File for Select IdP Metadata File.
  5. Select your JumpCloud metadata XML file and click Upload, then Update Running Server.
  6. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To manually configure JumpCloud SAML (option 2):

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Manually to expand the section.
  4. Paste the following from JumpCloud to the Access Server fields:
    1. Paste the JumpCloud IDP URL into Access Server’s Sign On Endpoint.
    2. Paste the JumpCloud IdP Entity ID into Access Server’s IdP EntityId.
    3. Paste the JumpCloud certificate.pem into Access Server’s Certificate (PEM format).
  5. Click Save, then Update Running Server.
  6. The IdP fields save.

Step 3: Assign SAML as user authentication

Once you’ve provided the SAML configuration for JumpCloud, you can enable it for users.

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.

How to set up IdP-initiated flow (optional)

You can configure an IdP-initiated flow for signing into Access Server from JumpCloud with the following steps:

  1. Sign in to the JumpCloud admin portal.
  2. Click SSO, and click your custom SAML app.
  3. Click the SSO tab and scroll down to the Default RelayState field.
  4. Enter one of the following for Default RelayState:
    1. cws: This directs your users to the Client Web UI after sign-in.
    2. profile: This directs your users to a profile download after sign-in.
  5. Save changes.

Your users can now sign in to JumpCloud and find the Access Server SAML application under My Apps.