Table of Contents:
- Step 1. Access your SAML settings in CanIPhish
- Step 2. Create an Application in JumpCloud
- Step 3. Configure SSO in CanIPhish
- Step 4. Assign the CanIPhish Application to users or groups in JumpCloud
- Appendix A: (Optional) Simulate an IdP-initiated flow with a JumpCloud Bookmark App
To setup SAML-based single sign-on within JumpCloud, please follow the below steps:
Step 1. Access your SAML settings in CanIPhish
1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.
1.2. Click on Authentication Settings > Learner Single Sign-On to show your SSO configuration.
1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).
Step 2. Create an Application in JumpCloud
2.1. Log in to the JumpCloud Admin Portal.
2.2. Navigate to USER AUTHENTICATION > SSO Applications.
2.3. Click + Add New Application.
2.4. Select the "Custom Application" option:
2.5. Click Next.
2.6. Select the "Manage Single Sign-On (SSO)" option with "Configure SSO with SAML" and click Next
2.7. Give the app a display name of your choosing (e.g. CanIPhish Cloud Platform), turn off "Show in User Portal" and then click Save Application.
Note: Because CanIPhish only supports SP-initiated SSO, we recommend turning off "Show in User portal". If you want to show an application icon to users, please see Appendix A: (Optional) Simulate an IdP-initiated flow with a JumpCloud Boomark App.
Optional: If you want to upload an App logo. A CanIPhish Logo can be downloaded here.
2.7. Click Configure Application
2.8. In both the IdP Entity ID & SP Entity ID fields, enter the "Audience URI (SP Entity ID)" value copied earlier from CanIPhish.
2.9. In the "ACS URLs" and "Login URL" fields, enter the "Single Sign-On URL" value copied earlier from CanIPhish.
ACS URL
Login URL
2.10. Tick the "Declare Redirect Endpoint" checkbox.
2.10. Scroll down to "User Attributes" and click "add attribute".
2.11. In the "Service Provider Attribute Name" and "JumpCloud Attribute Name" enter the below:
Service Provider Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
JumpCloud Attribute Name: email
2.12. Leave all other options as the default selection and click Save.
Step 3. Configure SSO in CanIPhish
3.1. Before jumping back into the CanIPhish Cloud Platform, click on your newly created application, click the SSO tab and click the "Copy Metadata URL" button.
3.2. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.
3.3. Under the "Configuration For CanIPhish" section, select the "Enter metadata document URL" option and then paste the URL copied earlier.
3.4. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in JumpCloud. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
3.6. By default, CanIPhish will send users an access token to log in to their learner dashboard. If SSO is configured, you could choose to Allow or Prohibit this method of access. We recommend providing users with the option to use their preferred access method and leave this as Allowed.
3.7. Click Activate SSO!
3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.
Step 4. Assign the CanIPhish Learner Application to users or groups in JumpCloud
4.1. There are a number of ways this can be done. The simplest to to assign it to a group of users who will receive Security Awareness Training from CanIPhish. To do this, open the app in JumpCloud, traverse to the User Groups tab and simply select the relevant user group. Once selected click Save.
Appendix A: (Optional) Simulate an IdP-initiated flow with a JumpCloud Bookmark App
2.1. Log in to the JumpCloud Admin Portal.
2.2. Navigate to USER AUTHENTICATION > SSO Applications.
2.3. Click + Add New Application.
2.4. Select the "Custom Application" option:
2.5. Click Next.
2.6. Tick "Add a bookmark (no SSO)
2.7. Give the app a display name of your choosing (e.g. CanIPhish Learner Dashboard).
2.8. Ensure "Show in User Portal" is ticked.
2.9 Paste the SSO Bookmark URL displayed in your CanIPhish SSO Configuration into the "Bookmark URL" field.
2.10 Optionally upload the CanIPhish logo (download here) or a logo of your choosing.
2.11. Validate your configuration looks similar to the below and then click Save!
2.12. Click Configuration Application and then click on the User Groups tab to assign this application to the same user group selected in Step 4.
2.13. You're all done! Learners can now seamlessly login from their JumpCloud User Portal.
Getting single sign-on setup can be complex. If you run into any issues, please don't hesitate to contact the team at CanIPhish for assistance.
Comments
0 comments
Please sign in to leave a comment.