Skip to main content

SAML with Jumpcloud - Users and Admins

ThisThe documentfollowing describesexample theassumes necessary configuration work required to makeyour Knocknoc (optionally) use a JumpCloud SAML Identity Provider ("IdP") as an authentication mechanism for Knocknoc. It assumes that you already have administrative access to an operational JumpCloud tenant, and that Knocknocinstance is installed,located configured, and running onat https://access.example.comdemo.knoc.cloud.

KnocknocWherever supportsyou havingsee 2that, IdPs,please onesubstitute it for users,your andown oneinstance for admins. Please see the later section for Admins Click here for Admin setupURL.

First

Setting setup users, and then we can setup admins.

Generate SAML Service Provider keypair

SAML uses X.509 certificates and RSA key pairs to authenticateUp the IdP (JumpCloud) and the Service Provider ("SP", ie Knocknoc) to each other, and make sure that nobody's doing any lying about the whole operation. JumpCloud will sort out the cert/key for its end, so we just need to issue a self-signed certificate for Knocknoc for a key that we generate.

  1. Create a self-signed certificate and RSA private key for Knocknoc, by running the following command:

    cd /opt/knocknoc/etc/
openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-idp.crt -keyout user-idp.key

    For your admin SAML, you need a seperate key

    cd /opt/knocknoc/etc/
openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out admin-idp.crt -keyout admin-idp.key

  2. Set the permissions to be correct for the knocknoc user to access the key:

   chown knocknoc:knocknoc *.key
   chown knocknoc:knocknoc *.crt
  1. Download a copy of the certificate (just the certificate) to your local workstation, as you'll need to upload it to JumpCloud in the next phase of configuration.

JumpCloudCreating ConfigurationAn for User SAML

Application

  1. Login to your JumpCloud tenant as an administrator.

  2. From the left-hand menu, select the "SSO" option (under "User Authentication").

  3. Click the "Get Started" button.

  4. Click Select on Custom Application in the bottom right of the Featured Applications pane and click Next.

  5. Click Next

  6. Choose Manage Single Sign-On, and then Configure SSO with SAML thenand click Next.

  7. Enter a Name for your application, like Demo Knocknoc, andapplication under AdvancedDisplay Settings,Label drop(e.g Knocknoc)

  8. Scroll down and enterclick Advanced Settings

  9. Enter a URL that sounds semi-unique enough,URL for the SSO IdP URL:URL like(e.g demoknocknocpapercompany-knocknoc)

  10. ThenClick chooseSave Configure Application and we are onto the hard bitApplication.

  11. Click Configure Application.

  12. In the "Single Sign-On Configuration"Configuration section,Settings;

    and
      start filling out form items. Remember to replace https://access.example.com with
    1. Set the public URL of your Knocknoc service.

      • IdP Entity ID:ID to "Knocknoc" Note: this is a good default, but if there'syou moreintend thanto onerun Knocknocmultiple in the JumpCloud tenant,instances, choose something else that sounds good.unique.
      • Set the SP Entity ID:ID to https://access.example.com/demo.knoc.cloud/api/saml/metadata
      • Set the ACS URL to https://demo.knoc.cloud/api/saml/acs
      • Generate a new certificate and key, this can be done on a Linux host using the below command.
        openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
      • ACS URL: https://access.example.com/api/saml/acs
      • SP Certificate: Click 'Upload SP Certificate', and choose the certificate you(.crt) generatedjust in the previous section. If all goes well, you'll get a little pop-up saying "successfully read SP certificate".generated.
      • SAMLSubjectSet NameID: username
      • SAMLSubject NameID Format:to "username"
      • Set the SAMLSubject NameID Format to "urn:oasis:names:tc:SAML:2.0:nameid-format:persistentpersistent"
      • Leave the Signature Algorithm:Algorithm as RSA-SHA256 (should already be set to that)
      • Check Sign Assertion: tick this boxAssertion
      • Leave Default RelayState: leaveRelayState blank
      • Enter the Login URL:URL as https://access.example.com/demo.knoc.cloud/api/login/saml
      • Check Declare Redirect Endpoint: tick this boxEndpoint
      • Set IDP URL:URL to https://sso.jumpcloud.com/saml2/knocknoc (canNote: bethis is a default, if you intend to run multiple instances, choose something elseunique if there's more than one Knocknocas in thestep JumpCloud tenant)11.1.
      • Under User AttributeAttributes Mapping:click Add Attribute.
        1. TellSet JumpCloud to tell Knocknoc the real name of the user:
        • Service Provider Attribute Name:Name realNameto "realName"
        • Set JumpCloud Attribute Name:Name fullnameto "fullname"
  13. Under Constant Attributes:Attributes click Add Attribute.
    1. TellSet JumpCloud to tell Knocknoc how long to keep sessions open:
    • Service Provider Attribute Name:Name sessionDurationto "sessionDuration"
    • Value:Set Value to however many minutes SAML users' sessions should last (e.g 480 for 8 hours)
  • Check include Group Attributes:Attribute
    1. Tell JumpCloudChange memberOf to pass the list of groups to Knocknoc:
    • Include group attribute: tick this box
    • UnlabelledClick text box: groups (the boilerplate says memberOf, which is naughty)
    • Save.

  • After that fairly massive effort, you can now click "save". Phew!

  • If all goes well, you'll get a pleasant "SSO application created" pop-up.

  • Finally, goGo back into the newly-created SSO application,application.

    • scroll
  • Click down, expandon the "SSO" heading,
    • and click
  • Click "Export Metadata". Saveand thissave file locally somewhere, we'll use it shortly. This isas an XML fileFile.
    • full
  • Click ofCopy Metadata URL and save this it will be required for the details that Knocknoc needsSAML toConfig
    • use the IdP.

    Knocknoc

    Group and User Configuration

    1. Upload the IdP metadata you downloaded in the previous sectionLogin to the Knocknoc server in a location that Knocknoc can access, You might want to move the keys you made earlier to above location:

    2. Upload the cert and key you created

    If all has gone according to plan, the Knocknoc login page should now have a new "SSO Login" link on it. This is the magic button to login with SAML. However, at present it won't work for anyone because they don't have the necessary JumpCloud magicks to work. That'll be sorted out in the next section.

    JumpCloud Group / User Configuration

    Back into the JumpCloud admin panel now. First off, we'll create some groups for our Knocknoc-capable users to be a part of.

      panel.

    1. Select "User Groups" from the left-hand menu (under "User Management").

    2. Create zero or more groups to hold Knocknoc-capable JumpCloud users. For the most part, there's nothing special about them, and you can in theory use existing JC groups. However, the caveats are:

      • The name of the group in JumpCloud must match exactly (capitalisation, spaces and all) the name of the corresponding group in Knocknoc, if you want that group to grant access to the ACLs of the corresponding Knocknoc group.

      • The same "strict match" rule applies to the JC group name for the SAMLAdminGroup you configured.

      • The group must be bound to the JumpCloud application you configured previously (it must be ticked in the list under the "Applications" tab of the group) otherwise the group won't be sent to Knocknoc.

    Finally, assign users to the groups you've bound to the Knocknoc application -- probably by going to the "Users" tab of the group and ticking away like a dog running through the bush.

    JumpCloud Configuration for Admin SAML

    1. Login to your JumpCloud tenant as an administrator. Note this can be a seperate Jumpcloud to your User tenant.

    2. From the left-hand menu, select the "SSO" option (under "User Authentication").Management.

    3. Click the "GetGreen Started" button or Add Application if you already have some.

    4. Click Select on Custom Application in the bottom right of the Featured Applications pane

    5. Click Next

    6. Choose Manage Single Sign-On, and then Configure SSO with SAML then Next.

    7. Enter a Name for your application, like Demo Knocknoc, and under Advanced Settings, drop down and enter a URL that sounds unique enough, for the SSO IdP URL: like demoknocknoc

    8. Then choose Configure Application and we are onto the hard bit

    9. In the "Single Sign-On Configuration" section, and start filling out form items. Remember+ to replace https://access.example.com with the public URL of your Knocknoc service.

      • IdP Entity ID: "Knocknoc" is a good default, but if there's more than one Knocknoc in the JumpCloud tenant, choose something else that sounds good.
      • SP Entity ID: https://access.example.com/api/admin/saml/metadata
      • ACS URL: https://access.example.com/api/admin/saml/acs
      • SP Certificate: Click 'Upload SP Certificate', and choose the certificate you generated for admin in the previous section. If all goes well, you'll get a little pop-up saying "successfully read SP certificate".
      • SAMLSubject NameID: username
      • SAMLSubject NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      • Signature Algorithm: RSA-SHA256 (should already be set to that)
      • Sign Assertion: tick this box
      • Default RelayState: leave blank
      • Login URL: https://access.example.com/api/admin/login/saml
      • Declare Redirect Endpoint: tick this box
      • IDP URL: https://sso.jumpcloud.com/saml2/knocknocadmin (can be something else if there's more than one Knocknoc in the JumpCloud tenant)
      • User Attribute Mapping:
        1. Tell JumpCloud to tell Knocknoc the real name of the user:
        • Service Provider Attribute Name: realName
        • JumpCloud Attribute Name: fullname
      • Constant Attributes:
        1. Tell JumpCloud to tell Knocknoc how long to keep sessions open:
        • Service Provider Attribute Name: sessionDuration
        • Value: however many minutes SAML users' sessions should last
      • Group Attributes:
        1. Tell JumpCloud to pass the list of groups to Knocknoc:
        • Include group attribute: tick this box
        • Unlabelled text box: groups (the boilerplate says memberOf, which is naughty)

    10. After that fairly massive effort, you can now click "save". Phew!

    11. If all goes well, you'll get a pleasant "SSO application created" pop-up.

    12. Finally, go back into the newly-created SSO application, scroll down, expand the "SSO" heading, and click "Export Metadata". Save this file locally somewhere, we'll use it shortly. This is an XML file full of the details that Knocknoc needs to use the IdP.

    Knocknoc Configuration for Admins

    1. Upload the IdP metadata you downloaded in the previous section to the Knocknoc server

    2. Upload the admin certs

    Your knocknoc admin section is at https://access.example.com/admin, or whatever you called your site. If all has gone according to plan, the Knocknoc login page should now havecreate a new "SSO Login" link on it. This is the magic button to login with SAML. However, at present it won't work for anyone because they don't have the necessary JumpCloud magicks to work. That'll be sorted out in the next section.

    JumpCloud Group / User Configuration

    Back into the JumpCloud admin panel now. First off, we'll create some groups for our Knocknoc-capable users to be a part of. Admins can't be part of groups, and hence can't have ACLs assigned to them. I suppose you could make your /admin URL be only accessible after a user auths to knocknoc, which we will cover later.

    1. Select "User Groups" from the left-hand menu (under "User Management").

    2. Create zero or more groups to hold Knocknoc-capable JumpCloud admins. For the most part, there's nothing special about them, and you can in theory use existing JC groups. However, the caveats are:

      • The name of the group in JumpCloud must match exactly (capitalisation, spaces and all) the name of the corresponding group in Knocknoc, if you want that group to grant access to the ACLs of the corresponding Knocknoc group.

      • Under

        TheName enter the group name (e.g ConfluenceUsers). Note: The name must match group name in Knocknoc to allow ACL assignment to be boundautomated.

        • to
      • Click Users and Check the JumpCloudappropriate applicationusers.
      • Click Applications and check the newly created Application (e.g Knocknoc)
      • Click Save.

    Knocknoc SAML Config

    1. Login In the Knocknoc admin interface.
    2. Click on Settings on the left.
    3. Under Public URL enter your knocknoc url. Note: do not add a / at the end of the URL.
    4. For the SAMLMetaDataFile, upload the xml file you configureddownloaded previouslyfrom JumpCloud.
    5. For the SAMLCertFile, upload the certificate (it.crt) mustfile be tickedcreated in the listCreating underan Application section.
    6. For the "Applications"SAMLKeyFile, tabupload the key (.key) file created in the Creating an Application section.
    7. For the SAMLMetadataUrl, paste the Metadata URL copied in Step 21 of the group)Creating otherwisean theApplication group won't be sent to Knocknoc.

      section.
    8. Click Save.

    Finally, assign users to the groups you've bound to the Knocknoc application -- probably by going to the "Users" tab of the group and ticking away like a dog running through the bush.

    Final Testing

    Assuming you granted your own user permission to one or more Knocknoc groups in JumpCloud, you should now be able to login to Knocknoc using SSO.

    To

      ensure you're up and running, pop over
    1. Browse to yourhttps://demo.knoc.cloud
      2. Knocknoc
    2. There servershould innow abe browser and click on thean "SSO Login" button.
      3. You
    3. Click may be prompted to login to JumpCloud (your user account, not an admin account), butthis, if you loggedare intonot JumpCloudalready recently,authenticated you should just be dropped into a logged-in Knocknoc session, either as a Knocknoc admin (ifto your JC user is in the SAMLAdminGroup group) or otherwise as an ordinary user. In either event,IdP you should havenow allbe directed to the ACLsIdP associatedlogin withpage. theNote: If you are already authenticated you'll simply be redirected to an authenticated Knocknoc groupssession.
      4. you're
    4. If aACLs memberhave ofalready inbeen JC.

      added you should also see these now say Granted.

    If this all works, congratulations! You've successfully run the SAML gauntlet.

    Back to top