You're viewing documentation for the legacy version of Firezone, now End-of-Life. View the latest docs here.

Enable SSO with JumpCloud (SAML 2.0)

This guide assumes you have completed the prerequisite steps (e.g. generate self-signed X.509 certificates) outlined here.

Firezone supports Single Sign-On (SSO) using JumpCloud through the generic SAML 2.0 connector. This guide will walk you through how to configure the integration.

Step 1: Create a SAML connector

In the JumpCloud admin portal, create a new App under the SSO tab. At the bottom of the popup window, click Custom SAML App.

After entering your desired value for Display Label, click the SSO tab, then use the following configuration values:

SettingValue
IdP Entity IDAny unique string will work, e.g. firezone-jumpcloud.
SP Entity IDThis should be the same as your Firezone SAML_ENTITY_ID, defaults to urn:firezone.dev:firezone-app.
ACS URLThis is your Firezone EXTERNAL_URL/auth/saml/sp/consume/:config_id, e.g. https://firezone.company.com/auth/saml/sp/consume/jumpcloud.
SAMLSubject NameIDemail
SAMLSubject NameID FormatLeave at the default.
Signature AlgorithmRSA-SHA256
Sign AssertionChecked.
Login URLThis is your Firezone EXTERNAL_URL/auth/saml/auth/signin/:config_id, e.g. https://firezone.company.com/auth/saml/auth/signin/jumpcloud

Leave the rest of the settings unchanged, then click the activate button at the bottom-right.

Your JumpCloud configuration should now resemble the following:

jumpcloud saml

Now, download the IdP Metadata document by selecting the App you just created and then clicking the export metadata button in the upper-right. You'll need to copy-paste the contents of this document into the Firezone portal in the next step.

Step 2: Add SAML identity provider to Firezone

In the Firezone portal, add a SAML identity provider under the Security tab by filling out the following information:

SettingValueNotes
Config IDjumpcloudFirezone uses this value to construct endpoints required in the SAML authentication flow (e.g., receiving assertions, login requests).
LabelJumpCloudAppears on the sign in button for authentication.
Base URLLeave unchanged.
Metadatasee noteCopy-paste the contents of the SAML metadata document you downloaded in the previous step from JumpCloud.
Sign assertionsChecked.
Sign metadataChecked.
Require signed assertionsChecked.
Require signed envelopesUnchecked.
Auto create usersDefault falseEnable this setting to automatically create users when signing in with this connector for the first time. Disable to manually create users.

Your Firezone configuration should now resemble the following:

firezone saml

After saving the SAML config, you should see a Sign in with JumpCloud button on your Firezone portal sign-in page.

Last updated: February 28, 2024