JumpCloud: Learner Dashboard SSO Configuration Guide

Table of Contents:

• Step 1. Access your SAML settings in CanIPhish
• Step 2. Create an Application in JumpCloud
• Step 3. Configure SSO in CanIPhish
• Step 4. Update the JumpCloud App to support IdP-initiated SSO
• Step 5. Assign the CanIPhish Application to users or groups in JumpCloud
• Appendix A: Additional Guidance For Common Issues

To setup SAML-based single sign-on within JumpCloud, please follow the below steps:

Step 1. Access your SAML settings in CanIPhish

1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.

1.2. Click on Authentication Settings > Learner Single Sign-On to show your SSO configuration.

1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).

Step 2. Create an Application in JumpCloud

2.1. Log in to the JumpCloud Admin Portal.

2.2. Navigate to USER AUTHENTICATION > SSO Applications.

2.3. Click + Add New Application.
2.4. Select the "Custom Application" option:

2.5. Click Next.

2.6. Select the "Manage Single Sign-On (SSO)" option with "Configure SSO with SAML" and click Next

2.7. Give the app a display name of your choosing (e.g. CanIPhish Learner Dashboard), and optionally upload CanIPhish's logo (Rectangular Icon or Square Icon). Once complete, click Save Application.

2.7. Click Configure Application

2.8. In both the IdP Entity ID & SP Entity ID fields, enter the "Audience URI (SP Entity ID)" value copied earlier from CanIPhish.

2.9. In the "ACS URLs" field, enter the "Single Sign-On URL" value copied in Step 1.3 from CanIPhish.

2.10. Tick the "Declare Redirect Endpoint" checkbox.

2.10. Scroll down to "User Attributes" and click "add attribute".

2.11. In the "Service Provider Attribute Name" and "JumpCloud Attribute Name" enter the below:
Service Provider Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

JumpCloud Attribute Name: email

2.12. Leave all other options as the default selection and click Save.

Step 3. Configure SSO in CanIPhish

3.1. Before jumping back into the CanIPhish Cloud Platform, click on your newly created application, click the SSO tab and click the "Copy Metadata URL" button.

3.2. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.

3.3. Under the "Configuration For CanIPhish" section, select the "Enter metadata document URL" option and then paste the URL copied earlier.

3.4. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in JumpCloud. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

3.6. By default, CanIPhish will send users an access token to log in to their learner dashboard. If SSO is configured, you could choose to Allow or Prohibit this method of access. We recommend providing users with the option to use their preferred access method and leave this as Allowed.

3.7. Click Activate SSO!

3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.

3.9. You will notice a new field called "SSO Relay State" has appeared under the "Configuration For The Identity Provider" section. Make a note of this value as it will be used in Step 4.

Step 4. Update the JumpCloud App to support IdP-initiated SSO

4.1. Go back into JumpCloud application you created and open the SSO tab.

4.2. Scroll down and look for the "Default RelayState" field. Paste the "SSO Relay State" value copied in Step 3.9 into this field and then click Save.

Step 5. Assign the CanIPhish Learner Application to users or groups in JumpCloud

5.1. There are a number of ways this can be done. The simplest to to assign it to a group of users who will receive Security Awareness Training from CanIPhish. To do this, open the app in JumpCloud, traverse to the User Groups tab and simply select the relevant user group. Once selected click Save.

Appendix A: Additional Guidance For Common Issues

Receiving A Generic Authentication Error From CanIPhish

Please confirm that under step 2.11 the attribute name exactly matches the SAML Attribute Mapping listed in CanIPhish. If there is a mismatch or this attribute doesn't exist, email addresses won't flow through correctly. The value should be as follows:

• http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Once this is correct, please Deactivate the SSO configuration and then Reactivate the SSO configuration. This resets SSO accounts on our end and will allow you to login.

Receiving A RelayState Error

If you've just setup SSO or have made any changes within the JumpCloud app, please wait up to 5 minutes for the configuration to flow through JumpCloud's systems. If the issue is still occurring 5 minutes after the last configuration update was made, please contact the CanIPhish Support Team for assistance.