Skip to main content

JumpCloud: Cloud Platform SSO Configuration Guide

Sebastian Salla
Updated

Table of Contents:

To setup SAML-based single sign-on within JumpCloud, please follow the below steps:

Step 1. Access your SAML settings in CanIPhish

1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.

1.2. Click on Authentication Settings > Platform Single Sign-On to show your SSO configuration.

1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).

Step 2. Create an Application in JumpCloud

2.1. Log in to the JumpCloud Admin Portal.

2.2. Navigate to USER AUTHENTICATION > SSO Applications.

2.3. Click + Add New Application.
2.4. Select the "Custom Application" option:

2.5. Click Next.

2.6. Select the "Manage Single Sign-On (SSO)" option with "Configure SSO with SAML" and click Next

2.7. Give the app a display name of your choosing (e.g. CanIPhish Cloud Platform), and optionally upload CanIPhish's logo (Rectangular Icon or Square Icon). Once complete, click Save Application.

2.7. Click Configure Application

2.8. In both the IdP Entity ID & SP Entity ID fields, enter the "Audience URI (SP Entity ID)" value copied in Step 1.3 from CanIPhish.

2.9. In the "ACS URLs" field, enter the "Single Sign-On URL" value copied in Step 1.3 from CanIPhish.

2.10. Tick the "Declare Redirect Endpoint" checkbox.

2.10. Scroll down to "User Attributes" and click "add attribute".

2.11. In the "Service Provider Attribute Name" and "JumpCloud Attribute Name" enter the below:
Service Provider Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

JumpCloud Attribute Name: email

2.12. Click Save.

Step 3. Configure SSO in CanIPhish

3.1. Before jumping back into the CanIPhish Cloud Platform, click on your newly created application, click the SSO tab and click the "Copy Metadata URL" button.

3.2. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.

3.3. Under the "Configuration For CanIPhish" section, select the "Enter metadata document URL" option and then paste the URL copied earlier.

3.4. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in JumpCloud. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

3.6. (Optional) Enter the email address of an existing CanIPhish user who should still be allowed to login to CanIPhish directly using an email address and password (i.e. without SSO). We recommend adding at least 1 user. In the event there is an issue with the SSO config, you won't be entirely locked out of your tenant.

3.7. Click Activate SSO!

3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.

3.9. You will notice a new field called "SSO Relay State" has appeared under the "Configuration For The Identity Provider" section. Make a note of this value as it will be used in Step 4.

Step 4. Update the JumpCloud App to support IdP-initiated SSO

4.1. Go back into JumpCloud application you created and open the SSO tab.

4.2. Scroll down and look for the "Default RelayState" field. Paste the "SSO Relay State" value copied in Step 3.9 into this field and then click Save.

Step 5. Assign the CanIPhish Application to users or groups in JumpCloud

5.1. There are a number of ways this can be done. The simplest to to assign it to a group of users who are meant to have access to CanIPhish. To do this, open the app in JumpCloud, traverse to the User Groups tab and simply select the relevant user group. Once selected click Save.

Step 6. Provision a role for users in CanIPhish

6.1. Jump back into your CanIPhish Cloud Platform account and traverse back to the "Platform Management" page (scrolling to the top to see "User Management").

6.2. If there are any users who you've assigned the CanIPhish JumpCloud Application to who don't yet have a role within your CanIPhish tenant, click on the "Add New User" button. If everyone already has a role, you can skip Step 5.

6.3. In the respective field, provide the users First & Last Name, Email Address, and Role of their account (i.e. Platform Admin, Platform User, or Platform Reporter). Once complete, click the Save button.

6.4. The user will be sent an email notification inviting them to finalize the creation of their new account and login using single sign-on. You're all done. SSO has been successfully configured!

Appendix A: Additional Guidance For Common Issues

Receiving A Generic Authentication Error From CanIPhish

Please confirm that under step 2.11 the attribute name exactly matches the SAML Attribute Mapping listed in CanIPhish. If there is a mismatch or this attribute doesn't exist, email addresses won't flow through correctly. The value should be as follows:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Once this is correct, please Deactivate the SSO configuration and then Reactivate the SSO configuration. This resets SSO accounts on our end and will allow you to login.

Receiving A RelayState Error

If you've just setup SSO or have made any changes within the JumpCloud app, please wait up to 5 minutes for the configuration to flow through JumpCloud's systems. If the issue is still occurring 5 minutes after the last configuration update was made, please contact the CanIPhish Support Team for assistance.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk