You're viewing documentation for the legacy version of Firezone, now End-of-Life. View the latest docs here.
Enable SSO with JumpCloud (SAML 2.0)
This guide assumes you have completed the prerequisite steps (e.g. generate self-signed X.509 certificates) outlined here.
Firezone supports Single Sign-On (SSO) using JumpCloud through the generic SAML 2.0 connector. This guide will walk you through how to configure the integration.
Step 1: Create a SAML connector
In the JumpCloud admin portal, create a new App under the SSO tab. At the bottom
of the popup window, click Custom SAML App.
After entering your desired value for Display Label, click the SSO tab, then
use the following configuration values:
| Setting | Value |
|---|---|
| IdP Entity ID | Any unique string will work, e.g. firezone-jumpcloud. |
| SP Entity ID | This should be the same as your Firezone SAML_ENTITY_ID, defaults to urn:firezone.dev:firezone-app. |
| ACS URL | This is your Firezone EXTERNAL_URL/auth/saml/sp/consume/:config_id, e.g. https://firezone.company.com/auth/saml/sp/consume/jumpcloud. |
| SAMLSubject NameID | email |
| SAMLSubject NameID Format | Leave at the default. |
| Signature Algorithm | RSA-SHA256 |
| Sign Assertion | Checked. |
| Login URL | This is your Firezone EXTERNAL_URL/auth/saml/auth/signin/:config_id, e.g. https://firezone.company.com/auth/saml/auth/signin/jumpcloud |
Leave the rest of the settings unchanged, then click the activate button at
the bottom-right.
Your JumpCloud configuration should now resemble the following:
Now, download the IdP Metadata document by selecting the App you just created
and then clicking the export metadata button in the upper-right. You'll need
to copy-paste the contents of this document into the Firezone portal in the next
step.
Step 2: Add SAML identity provider to Firezone
In the Firezone portal, add a SAML identity provider under the Security tab by filling out the following information:
| Setting | Value | Notes |
|---|---|---|
| Config ID | jumpcloud | Firezone uses this value to construct endpoints required in the SAML authentication flow (e.g., receiving assertions, login requests). |
| Label | JumpCloud | Appears on the sign in button for authentication. |
| Base URL | Leave unchanged. | |
| Metadata | see note | Copy-paste the contents of the SAML metadata document you downloaded in the previous step from JumpCloud. |
| Sign assertions | Checked. | |
| Sign metadata | Checked. | |
| Require signed assertions | Checked. | |
| Require signed envelopes | Unchecked. | |
| Auto create users | Default false | Enable this setting to automatically create users when signing in with this connector for the first time. Disable to manually create users. |
Your Firezone configuration should now resemble the following:
After saving the SAML config, you should see a Sign in with JumpCloud button
on your Firezone portal sign-in page.