Table of Contents:
- Step 1. Access your SAML settings in CanIPhish
- Step 2. Create an Application in JumpCloud
- Step 3. Configure SSO in CanIPhish
- Step 4. Assign the CanIPhish Application to users or groups in JumpCloud
- Step 5. Provision a role for users in CanIPhish
- Appendix A: (Optional) Simulate an IdP-initiated flow with a JumpCloud Bookmark App
To setup SAML-based single sign-on within JumpCloud, please follow the below steps:
Step 1. Access your SAML settings in CanIPhish
1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.
1.2. Click on Authentication Settings > Platform Single Sign-On to show your SSO configuration.
1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).
Step 2. Create an Application in JumpCloud
2.1. Log in to the JumpCloud Admin Portal.
2.2. Navigate to USER AUTHENTICATION > SSO Applications.
2.3. Click + Add New Application.
2.4. Select the "Custom Application" option:
2.5. Click Next.
2.6. Select the "Manage Single Sign-On (SSO)" option with "Configure SSO with SAML" and click Next
2.7. Give the app a display name of your choosing (e.g. CanIPhish Cloud Platform), turn off "Show in User Portal" and then click Save Application.
Note: Because CanIPhish only supports SP-initiated SSO, we recommend turning off "Show in User portal". If you want to show an application icon to users, please see Appendix A: (Optional) Simulate an IdP-initiated flow with a JumpCloud Boomark App.
Optional: If you want to upload an App logo. A CanIPhish Logo can be downloaded here.
2.7. Click Configure Application
2.8. In both the IdP Entity ID & SP Entity ID fields, enter the "Audience URI (SP Entity ID)" value copied earlier from CanIPhish.
2.9. In the "ACS URLs" and "Login URL" fields, enter the "Single Sign-On URL" value copied earlier from CanIPhish.
ACS URL
Login URL
2.10. Tick the "Declare Redirect Endpoint" checkbox.
2.10. Scroll down to "User Attributes" and click "add attribute".
2.11. In the "Service Provider Attribute Name" and "JumpCloud Attribute Name" enter the below:
Service Provider Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
JumpCloud Attribute Name: email
2.12. Click Save.
Step 3. Configure SSO in CanIPhish
3.1. Before jumping back into the CanIPhish Cloud Platform, click on your newly created application, click the SSO tab and click the "Copy Metadata URL" button.
3.2. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.
3.3. Under the "Configuration For CanIPhish" section, select the "Enter metadata document URL" option and then paste the URL copied earlier.
3.4. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in JumpCloud. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
3.6. (Optional) Enter the email address of an existing CanIPhish user who should still be allowed to login to CanIPhish directly using an email address and password (i.e. without SSO). We recommend adding at least 1 user. In the event there is an issue with the SSO config, you won't be entirely locked out of your tenant.
3.7. Click Activate SSO!
3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.
Step 4. Assign the CanIPhish Application to users or groups in JumpCloud
4.1. There are a number of ways this can be done. The simplest to to assign it to a group of users who are meant to have access to CanIPhish. To do this, open the app in JumpCloud, traverse to the User Groups tab and simply select the relevant user group. Once selected click Save.
Step 5. Provision a role for users in CanIPhish
5.1. Jump back into your CanIPhish Cloud Platform account and traverse back to the "Platform Management" page (scrolling to the top to see "User Management").
5.2. If there are any users who you've assigned the CanIPhish JumpCloud Application to who don't yet have a role within your CanIPhish tenant, click on the "Add New User" button. If everyone already has a role, you can skip Step 5.
5.3. In the respective field, provide the users First & Last Name, Email Address, and Role of their account (i.e. Platform Admin, Platform User, or Platform Reporter). Once complete, click the Save button.
5.4. The user will be sent an email notification inviting them to finalize the creation of their new account and login using single sign-on. You're all done. SSO has been successfully configured!
Appendix A: (Optional) Simulate an IdP-initiated flow with a JumpCloud Bookmark App
2.1. Log in to the JumpCloud Admin Portal.
2.2. Navigate to USER AUTHENTICATION > SSO Applications.
2.3. Click + Add New Application.
2.4. Select the "Custom Application" option:
2.5. Click Next.
2.6. Tick "Add a bookmark (no SSO)
2.7. Give the app a display name of your choosing (e.g. CanIPhish Cloud Platform).
2.8. Ensure "Show in User Portal" is ticked.
2.9 Paste the SSO Bookmark URL displayed in your CanIPhish SSO Configuration into the "Bookmark URL" field.
2.10 Optionally upload the CanIPhish logo (download here) or a logo of your choosing.
2.11. Validate your configuration looks similar to the below and then click Save!
2.12. Click Configuration Application and then click on the User Groups tab to assign this application to the same user group selected in Step 4.
2.13. You're all done! Users can now seamlessly login from their JumpCloud User Portal.
Getting single sign-on setup can be complex. If you run into any issues, please don't hesitate to contact the team at CanIPhish for assistance.
Comments
0 comments
Please sign in to leave a comment.