Skip to main content

SAML with Jumpcloud - Users and Admins

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL.

Setting Up the IdP

Creating An Application

  1. Login to your JumpCloud tenant as an administrator.

  2. From the left-hand menu, select the "SSO" option (under "User Authentication").

  3. Click the "Get Started" button.

  4. Click Select on Custom Application in the bottom right of the Featured Applications pane and click Next.

  5. Click Manage Single Sign-On, and then Configure SSO with SAML and click Next.

  6. Enter a Name for your application under Display Label (e.g Knocknoc)

  7. Scroll down and click Advanced Settings

  8. Enter a semi-unique URL for the SSO IdP URL (e.g papercompany-knocknoc)

  9. Click Save Application.

  10. Click Configure Application.
  11. Single Sign-On Configuration Settings;

    1. Set the IdP Entity ID to "Knocknoc" Note: this is a default, if you intend to run multiple instances, choose something unique.
    2. Set the SP Entity ID to https://demo.knoc.cloud/api/saml/metadata
    3. Set the ACS URL to https://demo.knoc.cloud/api/saml/acs
    4. Generate a new certificate and key, this can be done on a Linux host using the below command.
      openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
    5. Click 'Upload SP Certificate' and choose the certificate (.crt) just generated.
    6. Set SAMLSubject NameID to "username"
    7. Set the SAMLSubject NameID Format to "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    8. Leave the Signature Algorithm as RSA-SHA256
    9. Check Sign Assertion
    10. Leave Default RelayState blank
    11. Enter the Login URL as https://demo.knoc.cloud/api/login/saml
    12. Check Declare Redirect Endpoint
    13. Set IDP URL to https://sso.jumpcloud.com/saml2/knocknoc Note: this is a default, if you intend to run multiple instances, choose something unique as in step 11.1.
    14. Under User Attributes click Add Attribute.
      1. Set Service Provider Attribute Name to "realName"
      2. Set JumpCloud Attribute Name to "fullname"
    15. Under Constant Attributes click Add Attribute.
      1. Set Service Provider Attribute Name to "sessionDuration"
      2. Set Value to however many minutes SAML users' sessions should last (e.g 480 for 8 hours)
    16. Check include Group Attribute
      1.  Change memberOf to groups
    17. Click Save.
    18. Go back into the newly-created SSO application.
    19. Click on the "SSO" heading,
    20. Click "Export Metadata" and save as an XML File.
    21. Click Copy Metadata URL and save this it will be required for the Knocknoc SAML Config

Group and User Configuration

  1. Login to the JumpCloud admin panel.
  2. Select "User Groups" from the left-hand menu under User Management.

  3. Click the Green + to create a new group.

  4. Under Name enter the group name (e.g ConfluenceUsers). Note: The name must match group name in Knocknoc to allow ACL assignment to be automated.
  5. Click Users and Check the appropriate users.
  6. Click Applications and check the newly created Application (e.g Knocknoc)
  7. Click Save.

Knocknoc SAML Config

  1. Login In the Knocknoc admin interface.
  2. Click on Settings on the left.
  3. Under Public URL enter your knocknoc url. Note: do not add a / at the end of the URL.
  4. For the SAMLMetaDataFile, upload the xml file you downloaded from JumpCloud.
  5. For the SAMLCertFile, upload the certificate (.crt) file created in the Creating an Application section.
  6. For the SAMLKeyFile, upload the key (.key) file created in the Creating an Application section.
  7. For the SAMLMetadataUrl, paste the Metadata URL copied in Step 21 of the Creating an Application section.
  8. Click Save.

Final Testing

Assuming you granted your own user permission to one or more Knocknoc groups in JumpCloud, you should now be able to login to Knocknoc using SSO.

  1. Browse to https://demo.knoc.cloud
  2. There should now be an "SSO Login" button.
  3. Click this, if you are not already authenticated to your IdP you should now be directed to the IdP login page. Note: If you are already authenticated you'll simply be redirected to an authenticated Knocknoc session.
  4. If ACLs have already been added you should also see these now say Granted.

If this all works, congratulations! You've successfully run the SAML gauntlet.