3.2.1.3.1.1.2. JumpCloud

Objective: Configure a SAML IDP for authenticating users in the SDP client.

In this article you will learn how to:

  • Set up and configure MetaAccess SDP as a Service Provider (SP) in JumpCloud.

  • Export the resulting connection data from JumpCloud and import it to the MetaAccess Console.

  • Enable SAML SSO for your SDP end users.

  • Provide access to SDP-protected applications based on JumpCloud group membership.

  • Invoke SDP by logging in to JumpCloud as an end user.

  1. Sign up for an account at jumpcloud.com. They provide free IDP services for a limited number of users. Once you’ve got the account created and are signed in to the administrator console you should see something like this:
    images/download/attachments/6216125/screenshot-2020-09-25T09-53-25-0400.png

  2. Add a new user using manual entry.
    images/download/attachments/6216125/screenshot-2020-09-25T09-54-58-0400.png

  3. Fill in details. I’ve specified an initial password here, but you can let it generate a temporary password too. It’s fine to leave all the other tabs with their default settings for now.
    images/download/attachments/6216125/screenshot-2020-09-25T09-59-25-0400.png

  4. Create a group for that user.
    images/download/attachments/6216125/screenshot-2020-09-25T10-32-53-0400.png

  5. Give the new group a name
    images/download/attachments/6216125/screenshot-2020-09-25T10-33-55-0400.png

  6. Include the user you just created in this new group
    images/download/attachments/6216125/screenshot-2020-09-25T10-34-16-0400.png

  7. Save the group, the rest of the group settings can be left alone.

  8. Create an application. This will be a “Custom SAML App”.
    images/download/attachments/6216125/screenshot-2020-09-25T10-34-56-0400.png

  9. Give it some label.
    images/download/attachments/6216125/screenshot-2020-09-25T10-36-07-0400.png

  10. Configure the IDP and SP Entity IDs. These are identifiers the two ends are going to use to verify that authentication attempts are coming from and going to the right places. It doesn’t really matter what they are, just remember them for later when configuring MetaAccess. images/download/attachments/6216125/screenshot-2020-09-25T10-42-24-0400.png

  11. Configure the IDP URL. It doesn’t matter what this is, it just can’t conflict with the URL you specified for any other applications you have defined. I’ve changed mine here, but the default would probably also work for you.
    images/download/attachments/6216125/screenshot-2020-09-25T10-36-32-0400.png

  12. We’ll come back here later when we have some more information from MetaAccess. Save your progress so far by selecting “activate”. When you save this application it warns you that you can’t change this later. That’s fine.
    images/download/attachments/6216125/screenshot-2020-09-25T10-37-21-0400.png

  13. Edit the application you just created, and export the JumpCloud Metadata. You’ll need this to upload to MetaAccess.
    images/download/attachments/6216125/screenshot-2020-09-25T10-50-35-0400.png

  14. Navigate to the MetaAccess administration console. Enable single sign-on for SDP.
    Note that there are two kinds of SAML SSO setup here. The “Console” setup is for logging into the MetaAccess administration console itself. The “SDP” setup is for logging in end-users to the SDP product. We’re setting up SDP here.
    images/download/attachments/6216125/screenshot-2020-09-28T12-39-54-0400.png

  15. Import configuration from an XML file. Select the JumpCloud Metadata file you downloaded earlier. This should populate a variety of fields on this page automatically.
    Note that while some of these fields are marked as mandatory (they have an asterisk next to them) they should all be provided by the JumpCloud metadata xml file. All of the fields on this page other than the metadata upload are intended for cases where the metadata file isn’t provided by the IDP, or is incomplete.
    images/download/attachments/6216125/screenshot-2020-09-25T10-54-42-0400.png

  16. At the bottom of this form is configuration for Group Attributes. You need to tell MetaAccess what JumpCloud is going to use as the attribute containing group information. This can be anything, you’ll just need to enter the same thing into JumpCloud later.
    images/download/attachments/6216125/screenshot-2020-09-25T10-56-16-0400.png

  17. Copy the MetaAccess Login URL.
    images/download/attachments/6216125/screenshot-2020-09-25T10-57-26-0400.png

  18. Save the MetaAccess SDP SSO configuration using the Save button in the upper right of the current page.
    images/download/attachments/6216125/screenshot-2020-09-28T12-46-39-0400.png

  19. Go back to the JumpCloud configuration for this application. Paste the MetaAccess Login URL as the ACS URL.
    images/download/attachments/6216125/screenshot-2020-09-25T10-58-00-0400.png

  20. Enable group attributes for the application. Make sure to use the same name specified earlier in the MetaAccess configuration.
    images/download/attachments/6216125/screenshot-2020-09-25T10-59-13-0400.png

  21. Add the group you created earlier to this application in the User Groups tab.
    images/download/attachments/6216125/screenshot-2020-09-25T14-13-07-0400.png

  22. Save the JumpCloud application again.

  23. The MetaAccess settings applied to a device depend on what MetaAccess group it is in. IN this case we want to make sure that SDP is enabled for the MetaAccess group. For this example I only have the single default group.
    Note that I’ve already got a device in this group. If you need to install the OPSWAT client and get a device in inventory do so now.
    images/download/attachments/6216125/screenshot-2020-09-25T14-23-44-0400.png

    images/download/attachments/6216125/screenshot-2020-09-25T14-24-30-0400.png

  24. You should now define the IDP groups. This should match the name of the group used earlier when configuring the group in JumpCloud.
    images/download/attachments/6216125/screenshot-2020-09-25T14-30-58-0400.png

  25. Add an IDP Group to act as an anchor for the SAML group within MetaAccess. The “Identity Provider Group” value should match exactly what you entered as the group name in JumpCloud. The “Name On MetaAccess” can be anything you like. Some IDPs don’t expose nice names for groups, so this is a chance to give the group a name that is easy to work with on the MetaAccess side.
    images/download/attachments/6216125/screenshot-2020-09-28T09-56-22-0400.png

  26. At this point you can add any protected applications. When prompted for what users have access to these applications select the IDP groups you created earlier.
    images/download/attachments/6216125/screenshot-2020-09-28T09-59-02-0400.png images/download/attachments/6216125/screenshot-2020-09-28T09-59-51-0400.png

  27. Log in to JumpCloud as a the user you added earlier. You may need to log out of the administrator console to get back to a login prompt at https://console.jumpcloud.com/login. You may need to switch to the “User Login” version of this page. If you’re on the Administrator Portal the button in the top left can switch to the User Portal.
    images/download/attachments/6216125/screenshot-2020-09-25T14-11-48-0400.png

  28. Select the MetaAccess application.
    images/download/attachments/6216125/screenshot-2020-09-25T14-14-02-0400.png

  29. You’ll be prompted to launch the SDP client if it is already installed. If you still need to install the OPSWAT client you can do so from the link on this page.
    images/download/attachments/6216125/screenshot-2020-09-25T14-18-29-0400.png images/download/attachments/6216125/screenshot-2020-09-25T14-25-45-0400.png

  30. SDP should launch and connect. You should have access to that test resource.
    images/download/attachments/6216125/screenshot-2020-09-28T10-10-45-0400.png