SAML Configuration for JumpCloud

Most of the frequently asked questions are covered by: and


Step-By-Step Guide:

1.   Create private key and certificate following this guide:

From the link above:

# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
# openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Notice: only CN is required in certificate, everything else can be left blank by entering dot (‘.’)



2.   Press ‘+’ on Applications page in JumpCloud admin


3.   Search for ‘saml’ string in applications list and click ‘Configure’






4.   Configure Application with the following data:

          IDP ENTITY ID: Any unique string. It will be later shown in CloudGuard UI

           IDP PRIVATE KEY: Upload here private key (private.pem) generated on step 1

          IDP CERTIFICATE: Upload here certificate (cert.pem) generated on step 1

          SP ENTITY ID: Any unique string (in okta instruction the set it the same as ACS URL)

          ACS URL: String, shown in UI as “SAML SSO Url (

          SAMLSUBJECT NAMEID: Leave “email” (This is what will be sent as user identifier)

          SIGN ASSERTION: Should be checked (IMPORTANT)

          DECLARE REDIRECT ENDPOINT: Should be checked (IMPORTANT)

          DISPLAY LABEL: any string


5.   Click ‘Activate’




6.   Export ‘Metadata’ of newly created application





7.   Assign users to the new application

(see Alternatively, create a new group and add to it needed users and new application



8.   Upload metadata file to CloudGuard