Single Sign-On (SSO) allows you to give your team members one account for all of the systems your business uses. If you have a Jump Desktop for Teams Enterprise subscription and have SSO setup for your team, you can require users to log into Jump Desktop with your company credentials.
Note: Once you set up SSO, you can also setup SCIM Integration and Domain Verification for your team. With these integrations you get additional options to streamline user onboarding to Jump Desktop Teams.
a. Requirements for SSO
- Jump Desktop SSO is based on SAML 2.0. You will need an Identity Provider (IDP) that supports SAML 2.0.
- A Jump Desktop for Teams Enterprise subscription.
b. Setup Single Sign On for your Team
- In your Jump Desktop Teams Dashboard click the Security icon.
- In the Teams Single Sign On section click Setup SAML SSO.
- Click Next in the Prepare Identity Provider step.
- In the Choose a company name step choose a company name that will be used to identify your company when users click the Sign in using SSO button. Then click Next. Note: You can not change the company name once it's set.
- Click Create in the Upload IDP Metadata (Optional) step.
- We're going to collect information about your team's Jump Desktop service provider. Click the Manage SAML SSO button. Make a note of the ACS URL, Entity ID. You'll need this later when setting up your identity provider:
c. Set up your identity provider
You'll need to setup your Identity Provider (IDP) next. This may require contacting your IT team. We have instructions below for different identity providers. If you can't find your identity provider here, please contact support@jumpdesktop.com and let us know which IDP you'd like instructions for.
- Okta
- OneLogin
- JumpCloud
- Azure AD
- Active Directory Federation Services (ADFS)
- Google Workspace (Google Suite)
- CyberArk
d. Testing Single Sign On
Once you're done configuring your identity provider in Jump, test your SSO integration by linking your own SSO credentials with your Jump Desktop account:
- Go to your Security dashboard. Note: this is not the same dashboard as your Team's security dashboard. Visit https://app.jumpdesktop.com and click Security on the left.
- In the Single Sign On section click Sign in using Single Sign On.
- When prompted for your Company Name enter the name you selected when setting up your idp and click continue.
- You'll be taken to your identity provider's web page where you can sign in.
- If linking succeeds, then you can enforce SSO for your team.
e. Enforce SSO for all team members
You can optionally make sure that all team members use SSO when logging in Jump Desktop:
- In your Jump Desktop Teams Dashboard click the Security icon.
- In the Team Single Sign On section click Require SSO For Team.
When Require SSO For Team is enabled, team members will only be allowed to sign in to Jump Desktop by clicking the Sign In using SSO button. Existing team members who haven't linked their SSO account will be asked to link their SSO account the next time they try signing.
f. You're done!
- Sign into your organization's Okta Administrative dashboard. You will need to be administrator to access the administrative dashboard.
- Add a new SAML application: Click Applications -> Add Application.
- Click Create New App
- Set Platform to Web and Sign in Method to SAML 2.0. Then click Create.
- Set App Name to Jump Desktop SAML SSO and check Do not display application to users and Do not display application in Okta mobile app. You can also upload an icon for Jump Desktop from here: Jump Desktop Icon . Click Next.
- In the Configure SAML section set the following.
- Set Single Sign On URL to ACS URL from your Jump Desktop Team's dashboard.
- Set Audience URI to Entity ID from your Jump Desktop Team's dashboard.
- In the Attribute / Statements (Optional) section add the following 3 values:
- User.email -> user.email
- User.firstName -> user.firstName
- User.lastName -> user.lastName
- Click Next.
- In the Feedback section select I'm an Okta customer adding an internal app and click Finish.
- Next, download the Identity Provider Metadata for the Okta app we just created by clicking the link. Save this on your local machine - we'll be uploading this to your Teams dashboard.
- Log back into your Jump Desktop Teams Dashboard and click Security. In the Team Single Sign On section click Manage SAML SSO and then click Upload IDP Metadata.
- You're done. Click Close to close the dialog.
- That's it. We're done! Next, go to the Test Single Sign On section to test your integration.
JumpCloud Identity Provider Setup
- Sign into your organization's JumpCloud administrative dashboard.
- Click Applications and then add a new Application by clicking the + icon.
- In the Search bar, search for Saml. You'll see one hit there called Custom SAML App. Click the Configure button.
- In General Info enter the following information. You can download the Jump Desktop icon from here: Jump Desktop Icon
- Scroll down to the Single Sign-On Configuration section and enter the following information:
- Set IdP Entity ID to the Entity ID from your Jump Desktop Team's dashboard.
- Set SP Entity ID to Entity ID from your Jump Desktop Team's dashboard.
- Set ACS URL to ACS URL from your Jump Desktop Team's dashboard.
- Scroll down to the Attributes section and add the following in USER ATTRIBUTE MAPPING:
- In User Groups select the users you'd like to allow to log into Jump.
- Finally click Activate and confirm.
- Reload the Applications page and you'll see a new entry for Jump Desktop SAML SSO.
- Click the entry to view properties and then expand the Single Sign On Configuration group. Then under the JumpCloud Metadata section click Export Metadata and save it to your local desktop. We'll be uploading this to your teams dashboard.
- Log back into your Jump Desktop Teams Dashboard and click Security. In the Team Single Sign On section click Manage SAML SSO and then click Upload IDP Metadata and upload the metadata you downloaded in the previous step.
- That's it. We're done! Next, go to the Test Single Sign On section to test your integration.
OneLogin Identity Provider Setup
- Sign into your organization's OneLogin administrative dashboard.
- Click Applications in the top menu bar and then click the Add App button.
- In the Search box enter: SAML and then pick the connector called: SAML Test Connector (Advanced)
- Enter the following information in the Configuration section. You can download the Jump Desktop icon from here: Jump Desktop Icon. Click Save after you're done.
- Click Configuration in the side bar and set the following fields:
- Set Audience to Entity ID from your Jump Desktop Team's dashboard
- Set Recepient to ACS URL from your Jump Desktop Team's dashboard
- Set ACS (Consumer) URL Validator to ACS URL from your Jump Desktop Team's dashboard.
- Set ACS (Consumer) URL to ACS URL from your Jump Desktop Team's dashboard
- Click Save.
- Click Parameters in the side bar.
- Click the blue + button on the right. In Field name enter: User.email and check Include in SAML assertion. Click Save. Set Value to Email and click Save again.
- Click the blue + button on the right. In Field name enter: User.firstName and check Include in SAML assertion. Click Save. Set Value to First Name and click Save.
- Click the blue + button on the right. In Field name enter: User.lastName and check Include in SAML assertion. Click Save. Set Value to Last Name and click Save.
- Click Save on the top right to save your settings.
- Click More Actions on the top right and then click SAML Metadata and save it to your local desktop. We'll be uploading this to your teams dashboard.
- Log back into your Jump Desktop Teams Dashboard and click Security. In the Team Single Sign On section click Manage SAML SSO and then click Upload IDP Metadata and upload the metadata you downloaded in the previous step.
- That's it. We're done! Next, go to the Test Single Sign On section to test your integration.
Azure AD Identity Provider Set Up
- Sign into the Azure portal using a administrative account.
- In the main dashboard, click the Azure Active Directory icon and then click Enterprise Applications in the sidebar.
- Click New Application and then click Non-gallery application.
- Set the Name to Jump Desktop SSO and click Add.
- In the Jump Desktop SSO overview page, click Set up single sign on.
- In the Select a sign sign-on method, select SAML
- In the Basic SAML Configuration card, click Edit.
- Set:
- Identifier (Entity ID) to Entity ID from your Jump Desktop Team's dashboard.
- Reply URL (Assertion Consumer Service URL) to ACS URL from your Jump Desktop Team's dashboard.
- Click Save and click X to go back to the SAML set up page.
- In the User Attributes & Claims card click Edit.
- In the User Attributes & Claims section:
- Click Add new claim, set Name to user.email and set Source Attribute to user.mail and click Save.
- Click Add new claim, set Name to user.firstname and set Source Attribute to user.givenname and click Save.
- Click Add new claim, set Name to user.lastname and set Source Attribute to user.surname and click Save.
- Click X to go back.
- In the SAML Signing Certificate card, click the Download button next to Federation Metadata XML and download the xml metadata and save it locally. We'll upload this to your Jump Desktop Team's dashboard in step 13.
- Optional: On the left hand sidebar, click Users and Groups and click Add User to add users who will be allowed to sign into Jump Desktop.
- Log back into your Jump Desktop Teams Dashboard and click Security. In the Team Single Sign On section click Manage SAML SSO and then click Upload IDP Metadata and upload the metadata you downloaded in step 11.
- That's it. We're done! Next, go to the Test Single Sign On section to test your integration.
Microsoft Active Directory Federation Services (ADFS) Set Up
- To setup ADFS SSO, you'll need to first download your Team's Service Provider Metadata (SP Metadata) from your Team's dashboard. We'll need to upload this to your ADFS console. To do this: Open up your Team's dashboard -> Security icon -> Manage SSO -> Download SSO Metadata. Save this for step 3 later.
- On your ADFS deployment. Create a new Relying Party Trust: Open up AD FS Management -> right click Relying Party Trust -> Add Relying Party Trust...
- In the Add Relying Party Trust Wizard:
- In the Welcome screen: Select Claims aware and click Start.
- In the Select Data Source screen: Select Import data about the relying party from a file and click Browse. Select the file you downloaded from you Teams dashboard in step 1 above. Then click Next.
- In the Specify Display Name screen enter the display name: Jump Desktop SSO and click Next.
- In the Choose Access Control screen choose a policy that suits you and click Next.
- In the Ready to Add Trust screen: Click Next and then click Close.
- The Edit Claim Insurance Policy for Jump Desktop SSO dialog should open up.
- Click Add Rule...
- The Add Transform Clain Rule Wizard will open up:
- Select Send LDAP Attributes As Claims and click Next.
- Set Claim rule name to Jump Desktop SSO Claim Rules.
- Set Attribute Store to Active Directory.
- Add the following mappings:
- E Mail-Addresses -> user.email
- Given-Name -> user.firstname
- Surname -> user.lastname
- Click Finish.
- In the Edit Claim Issuance Policy for Jump Desktop SSO dialog click Add Rule... again.
- In the Add Transform Claim Rule Wizard dialog:
- Set Claim rule template to Transform an Incomming Claim and click Next.
- Set Claim rule name to: Transform Account Name.
- Set Incomming claim type to: Windows account name.
- Set Outgoing claim type to: Name ID.
- Set Outgoing name ID format to: Transient Identifier.
- Make sure Pass through all claim values is selected.
- Click Finish.
- Click Apply in the Edit Claim Issuance Policy for Jump Desktop SSO and close the dialog.
- In the Relying Party Trusts column right click the Jump Desktop SSO entry and then click Properties.
- In the Jump Desktop SSO Properties dialog Click the Encryption tab and then click Remove to remove the certificate from the SSO.
- Once the certificate is removed it should look like the follow. Click Apply.
- We're almost done. Next download your federated metadata for your ADFS installation using this link and save it to your local machine. Replace YOURADFSSERVERNAME with your ADFS server's public hostname: https://YOURADFSSERVERNAME/FederationMetadata/2007-06/FederationMetadata.xml
- Log back into your Jump Desktop Teams Dashboard and click Security. In the Team Single Sign On section click Manage SAML SSO and then click Upload IDP Metadata and upload the metadata you downloaded in the previous step.
- That's it. We're done! Next, go to the Test Single Sign On section to test your integration.
Google Workspace (Google Suite)
- In your Google Admin console (admin.google.com), visit Apps -> Web and mobile apps
- Click Add App -> Add custom SAML app
- In App Name enter Jump Desktop. In App Icon download the Jump Desktop icon from here
- Click Continue.
- Click the Download Metadata button and download the metadata locally (we'll need this later for step 8). Then click Continue.
- In the Service provider details section enter the following details:
- Set ACS URL to ACS URL from your Jump Desktop Team's dashboard
- Set Entity ID to Entity ID from your Jump Desktop Team's dashboard
- Click Continue
- In the Attributes section do the following:
- Click Add Mapping and add a mapping Primary Email -> User.email
- Click Add Mapping and add a mapping First Name -> User.firstName
- Click Add Mapping and add a mapping Last Name -> User.lastName
- Click Finish
- Log back into your Jump Desktop Teams Dashboard and click Security. In the Team Single Sign On section click Manage SAML SSO and then click Upload IDP Metadata we downloaded in step 5 above.
- That's it. We're done! Next, go to the Test Single Sign On section to test your integration
CyberArk Identity Provider setup
1. Log into the CyberArk Admin Panel
2. Under the "Apps & Widgets" menu select "Web Apps"
3. On the "Web Apps" screen select "Add Web Apps"
4. Click the "Custom" tab, and click the "Add" button next to "SAML".
5. Choose "Yes" when prompted asking "Do you want to add this application?"
6. When you close the dialog, the Screen to configure your new app should appear. If the screen shown below does not appear, select the "SAML" app you just added from the "Web Apps" screen. Enter a name and an icon (optional) for the application.
7. Under the "Trust" menu, you can click the "Download Metadata File", you will have to upload this file in Jump to configure SSO.
8. Under the "Trust" menu, add the Entity ID and ACS URL as shown. You can also upload the metadata file at this stage if you haven't already.
9. Under account mapping, map the email address, first name, and last name as shown.
10. Click "Save" at the bottom of the screen. Your SSO should now be configured. Important: You will need to add users or roles to the application under the "Permissions" menu items in order for the application to be deployed.
Comments
0 comments
Article is closed for comments.