Configuring Single Sign-On (SSO) with Jumpcloud
This article explains how to configure the SAML SSO integration of Jumpcloud with Quickpass.
Prerequisites
- Administrator role for Jumpcloud
- Jumpcloud configured with the user accounts that will be used for accessing Quickpass..
- Primary or Super Role in Quickpass
- All of your Technicians configured in Login Management in Quickpass will need an account in Jumpcloud with exactly the same email address.
Manual - https://support.getquickpass.com/hc/en-us/articles/360040722434-How-to-Setup-Quickpass-Dashboard-Logins
Bulk Import - https://support.getquickpass.com/hc/en-us/articles/4411037813783-How-to-Bulk-Import-Quickpass-Dashboard-Logins- Note the Primary and Super Roles will still be able to login with their Quickpass Account username and password to allow access in the case of challenges with the SSO.
- A User Group that you wish to use for sign in to the Quickpass Dashboard should be created and the users you wish to have access should be made members of this group.
- Initial configuration steps as per https://support.getquickpass.com/hc/en-us/articles/4419178721559-Setting-up-Dashboard-Logins-for-SSO-SAML-
- Before turning this feature on, log in to your Quickpass account twice - once in a regular browser and once in an incognito/private window or another browser. This is to ensure that you are still logged in to your account if you get locked out in the other window.
Instructions
- Log in to the Jumpcloud Portal. In the left-hand menu, click SSO under the User Authentication section.
- Click Add New Application at the top of the screen.
- Select the "Custom SAML App" at the bottom of the screen. (We are working with Jumpcloud to allow you to select a preconfigured SSO configuration for Quickpass. The KB will be updated when this is available)
- On the General Info tab fill in the Display Label, Description, and Display Options for the Application you would like to configure. You can choose to display this application in the User Portal if you wish, but at this time Jumpcloud and Quickpass are not able to log the user directly into the dashboard.
- Click on the SSO Tab.
- Fill in the values as follows:
- IdP Entity ID: This can be any value you wish. Jumpcloud recommends "Jumpcloud" but this can be any value you determine is appropriate. This will be used on the Quickpass Dashboard Authentication Options -> Issuer URL value.
NOTE: This value is Case Sensitive. However you have this value set, it must be set identically on the Quickpass Login Management page. - SP Entity ID: This is the Entity ID value prepopulated for you on the Authentication Options screen in Quickpass. Copy the value from there and paste in this field:
- ACS URLs:
NA or Oceania https://admin.getquickpass.com/api/auth/sso/login/callback EU https://eu-admin.getquickpass.com/api/auth/sso/login/callback
- SAMLSubject NameID: This value should be "email" (no quotes)
- SAMLSubject NameID Format: This value should be the default but if your screen doesn't match this select it from the DropDown:
- Signature Algorithm: This value should be set by default to RSA-SHA256
- Default RelayState: This is the Entity ID value prepopulated for you on the Authentication Options screen in Quickpass. Copy the value from there and paste in this field:
- Login URL
NA or Oceania https://admin.getquickpass.com EU https://eu-admin.getquickpass.com - IDP URL: This value can be set by you. You can use any value you wish here. The default suggestion from Jumpcloud is to use:
However, whatever value you place in this screen is what is going to be used on the Quickpass Dashboard as the SAML Login and Logout Endpoint URL.
NOTE: This value is Case Sensitive. However you have this value set, it must be set identically on the Quickpass Login Management page.
- IdP Entity ID: This can be any value you wish. Jumpcloud recommends "Jumpcloud" but this can be any value you determine is appropriate. This will be used on the Quickpass Dashboard Authentication Options -> Issuer URL value.
- Click on Activate.
- Click on the Application you just created on the Jumpcloud SSO configuration page and then select the User Groups. section.
- Select the checkbox beside the Group you created for access to the Quickpass Dashboard.
- Click Save
- Select the checkbox beside the Group you created for access to the Quickpass Dashboard.
- Certificate Values
- You will need the certificate that was generated by Jumpcloud or your own IDP Certificate if you created your own by following the KB from Jumpcloud on this process.
- Click the Application you just created.
- Click the IDP Certificate "Valid" (hopefully it shows valid if you set it up correctly or used the default Certificate that Jumpcloud created for you) Dropdown and select Download Certificate
- Save the file somewhere secure.
- Open this file in a Text Editor.
- Copy the contents
- Paste the Value into the SAML SSO - Certificate on the Quickpass Dashboard (ensure that there are no leading or trailing spaces before or after the ---- characters)
- Launch the Website: https://www.samltool.com/fingerprint.php
- Copy and paste the certificate value from the Text Editor for the Certificate File you downloaded.
- Change the Algorithm Value to sha256.
- Click Calculate Fingerprint.
- You will need the "Formatted FingerPrint" value
- Copy the SHA-256 Fingerprint from the page
- Paste it into the Quickpass Fingerprint box
- Copy the SHA-256 Fingerprint from the page
- Jumpcloud values to be placed in the Quickpass SAML SSO Setup Screen
Testing
- In another browser or an Incognito/Private Browser Log open the Quickpass Dashboard
NA or Oceania https://admin.getquickpass.com EU https://eu-admin.getquickpass.com - Click Log In with SSO
- Enter the Email Address that is configured for the Login Role Account you are testing - Click Log In
- You should be prompted to sign into the Jumpcloud Single Sign-On just as you normally are.
- Sign in with the credentials from the SSO Source you normally use.
- You should be prompted with whichever Jumpcloud Sign In options you have configured as mandated for login. This example uses MFA.
- Upon approval, the Technician should be logged into the Quickpass Dashboard with the proper account and permissions as assigned in the Quickpass Login Management.
Comments
0 comments
Please sign in to leave a comment.