SAML Configuration for JumpCloud

Most of the frequently asked questions are covered by:

https://support.jumpcloud.com/customer/en/portal/articles/2551066-single-sign-on-sso-with-generic-saml-2-0-connector and https://support.jumpcloud.com/customer/portal/articles/2775691

 

Step-By-Step Guide:

1.   Create private key and certificate following this guide: https://support.jumpcloud.com/customer/en/portal/articles/2775691#certs

From the link above:

# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
..................+++
.+++
e is 65537 (0x10001)
# openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Notice: only CN is required in certificate, everything else can be left blank by entering dot (‘.’)

jc-1

 

2.   Press ‘+’ on Applications page in JumpCloud admin

 

3.   Search for ‘saml’ string in applications list and click ‘Configure’

 

jc-3

 

JC-3-2

 

4.   Configure Application with the following data:

          IDP ENTITY ID: Any unique string. It will be later shown in CloudGuard UI

           IDP PRIVATE KEY: Upload here private key (private.pem) generated on step 1

          IDP CERTIFICATE: Upload here certificate (cert.pem) generated on step 1

          SP ENTITY ID: Any unique string (in okta instruction the set it the same as ACS URL)

          ACS URL: String, shown in UI as “SAML SSO Url (https://yourdomain.avanan.net/auth/saml/sso)

          SAMLSUBJECT NAMEID: Leave “email” (This is what will be sent as user identifier)

          SIGN ASSERTION: Should be checked (IMPORTANT)

          DECLARE REDIRECT ENDPOINT: Should be checked (IMPORTANT)

          DISPLAY LABEL: any string

 

5.   Click ‘Activate’

 

JC-5

 

6.   Export ‘Metadata’ of newly created application

 

JC-6

JC-6-2

 

7.   Assign users to the new application

(see https://support.jumpcloud.com/customer/en/portal/articles/2775691#groups) Alternatively, create a new group and add to it needed users and new application

JC-7

 

8.   Upload metadata file to CloudGuard