Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials.
This article explains the connector fields you may come across in the General Info and SSO tabs when you configure SAML applications in JumpCloud.
General Info
Required
- Display Label – this value is shown next to the application’s icon on the Configured Applications page in the JumpCloud Admin Portal. Additionally, it appears underneath the application icon in the JumpCloud User Portal.
Optional
- Description – this field lets you share information in the User Portal about users’ applications. When applications have a description, they will display a details link in the User Portal.
- Display Option – allows you to adjust the logo or color shown for the application in both the Admin and User portals. Learn how to customize display options.
SSO Application Connector Fields
Fields marked with a (*) are required to configure the SAML 2.0 connector. See SSO using Custom SAML Application Connectors.
These fields may vary depending on the application.
JumpCloud Metadata
SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains; URLs of endpoints, information about supported bindings, identifiers and public keys. JumpCloud provides two options for transferring metadata to the SP.
- Export Metadata – exports JumpCloud’s XML metadata file. By default, this is downloaded to your local Downloads folder and is named JumpCloud-<applicationname>-metadata.xml.
- Copy Metadata URL – copies JumpCloud’s metadata URL to the clipboard.
Service Provider (SP) Metadata
Uploading SP metadata will populate the connector's fields. This may vary by application.
- Upload Metadata – opens a window that allows you to navigate to and upload a SP application’s XML metadata file to populate connector fields for that application. The attributes populated by the metadata file may vary by application.
If you upload more than one metadata file per application, you’ll overwrite the attribute values applied in the previously uploaded file.
IdP Entity ID*
This is the unique, case-sensitive identifier used by JumpCloud for this SP. Most SPs require this value during the configuration in their applications.
This value must be the same in JumpCloud and the SP.
It may also be referred to as:
- Issuer
- Identifier
- Identity Provider
IdP Private Key and Certificate Pairs
Both an IdP certificate and private key pair are required to successfully connect applications with JumpCloud. This certificate and key pair are used during SAML handshakes to successfully authenticate users during an SSO login.
After you activate an application, JumpCloud automatically generates a public certificate and private key pair for you. You can use this pair or upload your own from the Application Details panel. Learn how to generate custom certificate and private key pairs.
IdP Private Key:
- Replace IdP Private Key – opens a window that allows you to navigate to and upload a a different private key.
IdP Certificate:
- Replace IdP Certificate – opens a window that allows you to navigate to and upload a different private certificate.
SP Entity ID*
This is the unique, case-sensitive identifier used by the SP. The SP will likely supply you with this value.
It may also be referred to as:
- Audience
- Entity ID
- Identifier
- Service Provider Issuer
- Audience Restriction
In the SP metadata file, the SP Entity ID is the entityID attribute value of the EntityDescriptor element.
ACS URLs *
This is the endpoint to which JumpCloud will send SAML Responses (containing Assertions). JumpCloud supports multiple ACS URLs. The SP will supply you with this value and may refer to it as:
- Destination
- Recipient
- SAML Assertion Endpoint URL
- ACS URL, Assertion Consumer Service URL
- Consume URL
In the SP metadata file, the ACS URL is the location attribute value of the AssertionConsumerService element.
SP Certificate*
This is the public certificate used by SPs for SAML Requests. If you can download the SP’s public certificate, please do so and upload it here. If you have the SP’s metadata file, it may contain the certificate in the X509 Certificate element. If so, you may copy and paste the certificate contents into a file and upload it to your JumpCloud configuration. Ensure that the SP’s certificate is Base64 encoded before you upload it.
SAMLSubject NameID*
This is the user identifier that will be sent as the SAMLSubject's NameID. By default, the SAMLSubject’s NameID is the user's email. You can change it to username, firstname, lastname, or description, but only change this value if the SP requires a NameID other than email. Use description if you need to use an alternate value for emailaddress, username, firstname, or lastname.
SAMLSubject NameID Format*
This is the format that will be sent for the SAMLSubject's NameID. Only change this value if the SP requires a specific NameID format.
Signature Algorithm*
JumpCloud SSO SAML connectors support SHA-256 certificates by default. Although JumpCloud supports SHA-1 certificates, we recommend using SHA-256 for stronger security.
Sign*
Signing a SAML authentication response or SAML authentication assertion ensures message integrity when delivered to the SP. There are three choices:
These SAML assertions options are still being worked on, but will be available soon.
- Response – this is the default setting. All SAML authentication responses from JumpCloud to the SP will be signed. The response can be validated by the SP using JumpCloud’s signing certificate (X.509 Certificate) that has been uploaded to the SSO connector.
- Assertion – the attribute statement within the response is signed. This adds another layer of security where JumpCloud will encrypt the assertion using the SP’s public certificate and sends it to the SP who will decrypt it using the private key.
- Assertion and Response – both assertions and responses are signed.
Default RelayState
Enter a value that designates the default location to which your users will be redirected after single sign-on is complete. It will be sent by JumpCloud as the RelayState either in IdP-initiated SSO or if no RelayState is received from the SP during SP-initiated flow.
The SP may supply you with this value and refer to it as:
- Target URL
- RelayState
- Target
Login URL
If this application only supports SP initiated authentication, insert the URL users need to log in to this application.
IDP URL*
The IDP URL is the location to which the SP will send SAML requests and at which a user will authenticate. Please change this value to a plaintext string unique to the SP. The value you input will serve as the end of the IDP URL.
The SP will require the IDP URL and may refer to it as:
- Identity Provider Target URL
- SSO Login URL
- Redirect URL
- Identity Provider Endpoint
Take note of the entire URL (including the portion you edited) for later use.
Sometimes the SP has an optional field for an IDP Logout URL. Use https://console.jumpcloud.com/userconsole/ to send users back to the user console after they logout.
Declare Redirect Endpoint
Select this option only if the SP requires that your IDP metadata file contains a redirect endpoint.
Attributes
User Attributes
Configure user attributes to be sent to the SP in assertions. User attributes are unique to each user. You can include attributes for standard user detail attributes or for custom attributes. For example, you can include standard attributes for users’ employee ID and department, or you can include a custom attribute for users’ application ID. Standard attributes are configured in the User Panel Details tab's User Information and Employee Information sections.
Constant Attributes
Configure any constant-value attributes to be sent to the SP in assertions. The same values will be sent for all users. For example, a constant attribute for session duration limits session times for all users of the application, or SP.
- Click add attribute to add a constant attribute. To remove an attribute, click the trash icon.
Include Group Attribute
Select to include the groups a user is a member of in SAML assertions. When this option is selected, all groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the SP's name of the group attribute. By default, the attribute name is memberOf.
- When this option is selected, you must include a Groups Attribute Name. You will receive an error when you attempt to activate (create) or save (edit) the connector if you select this option and leave Groups Attribute Name blank.