This article describes how to configure JumpCloud as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your JumpCloud environment and your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their JumpCloud credentials.
To follow this process, you must be able to add applications to your JumpCloud environment and be a workplace administrator in your digital workplace.
Sections in this article:
- Configuring a JumpCloud single sign-on application
- Configuring your digital workplace's single sign-on
Configuring a JumpCloud single sign-on application
Follow these steps to configure a SAML app in your JumpCloud environment:
- Log into your JumpCloud Administrator Console.
- Select Applications from the navigation menu.
- Select + to add a new application.
- In the Configure Application window, search for Igloo and then select the Configure button next to it.
- Igloo does not currently provide XML metadata, so you must fill in the following fields manually:
- Display Label: Enter a descriptive name for this application.
- IDP Entity ID: Leave the default value.
-
SP ENTITY ID: Modify and enter the following URL:
https://[digital workplace URL].com/saml.digest
-
ACS URL: Modify and enter the following URL:
https://[digital workplace URL].com/saml.digest
- IDP URL: Leave the default value. However, if you have already set up an application using this URL, you will need to enter a new value of your choice.
- Select Activate to continue setting up the application. It should now appear in the list of Applications.
- Select this application's entry from the list of applications to view its details.
- While viewing the application, select IDP Certificate Valid and then select Download certificate to save a copy of the certificate to your device.
Configuring your digital workplace's single sign-on
- Go to your digital workplace and sign in.
- Select Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
- Configure the settings as described in the Configuration settings table below.
- Select Save.
Setting | Description |
---|---|
Connection Name | Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button. |
IdP Login URL |
Copy and paste the IDP URL from the JumpCloud configuration instructions into this field. |
IdP Logout URL | Leave this field empty. |
Logout Response and Request HTTP Type | Select POST. |
Logout Final Redirect URL | Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. |
Binding Type |
Select POST. |
Public Certificate |
Copy and paste the Certificate from the JumpCloud configuration instructions into this field. You will need to open the certificate file using a text editor. |
Identity Provider |
Select Other. |
Identifier Type |
Select Email Address. |
Identifier Path |
Enter |
Session Index Path |
Enter |
Email Path |
Enter |
First Name Path |
Enter |
Last Name Path |
Enter |
Drift Time |
Enter |
User creation on Sign in |
Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace. Options include:
When creating new users in your digital workplace this way, they will be created with the following details:
If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.). If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts. |
Sign in Settings |
Select how users sign in to your workplace. Options include:
For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly. |