SAML Configuration Notes

Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. When you connect a SAML SSO application to JumpCloud, here are a few notes you need to take into consideration before and after you configure an SSO connector. 

Pre Configuration

Unsupported Web Browsers

• JumpCloud SAML SSO doesn’t support Internet Explorer 8, 9, and 10. 

Customizing Display Options

• You can customize application display options. You can use the default service provider logo, use the Color Indicator, or upload a custom logo. Learn how to customize display options.

Using Certificates

• A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
  • Learn how to generate a public certificate and private key pair and manage them.
• JumpCloud SAML SSO connectors support SHA-256 certificates by default. Although JumpCloud supports SHA-1 certificates, if the service provider supports it, we recommend using SHA-256 for stronger security. 

Exporting JumpCloud Metadata

• When you configure SAML applications, you have two options to export JumpCloud metadata and upload it to the service provider.
  • Export a JumpCloud metadata file.
    • From Applications, select the option next to the application name, click export metadata in the top right corner, save the file, then upload the metadata file to the service provider.
    • From the Application’s Details Panel, select the SSO tab, then click Export Metadata under JumpCloud Metadata.
  • Copy the Metadata URL.
    • From the Application’s Details Panel, select the SSO tab, then click Copy Metadata URL. This will copy the URL to the clipboard.

Configuring Attributes

• Though they aren’t required, you can add supplemental user, constant, and group attributes in the SAML 2.0 Connector and in pre-built connectors that may be used to support functionality like provisioning. Make sure the attributes are supported by the service provider.

Connecting Applications

• You can connect SAML applications to JumpCloud by configuring one of our many pre-built SAML connectors or by configuring our SAML 2.0 connector.
  • See JumpCloud’s Integration Catalog. 
  • Learn how to configure JumpCloud’s SAML 2.0 custom connector or prebuilt connectors.

Post Configuration

Troubleshooting

• See SAML SSO Troubleshooting if a SAML/SSO connector isn’t working. 

Authorizing Users

• Users are implicitly denied access to applications. After you connect an application to JumpCloud, you must authorize user access to that application. See Authorize Users to an SSO App.

Provisioning Users

• You can use Just-In-Time provisioning with the SAML 2.0 Connector and some of our pre-built connectors. This reduces the steps in provisioning users to SAML applications.
  • Learn more about using JIT provisioning in the SAML 2.0 Connector.

Managing User Portal Session Duration

• You can configure the User Portal Session Duration for your organization. This affects how often users have to log in to their User Portal and applications.
  • Learn more about how to configure your User Portal Session Duration.

Deleting or Deactivating a SAML SSO Application

• Deactivate a SAML SSO application and temporarily suspend user access to an application.
• Delete a SAML SSO application and permanently remove it from the User Portal and Admin Portal.

Using Conditional Access Policies with Applications

• Add an extra layer of security when users access applications. You can restrict or deny access based on conditions that you set. For example, after a user logs in to the User Portal, require Multi-factor Authentication when they access certain applications or deny access when they access an application from an unapproved network. Learn more in Get Started: Conditional Access Policies.