One of the SAML identity providers (IdP) you can use is JumpCloud.
Before setting up your JumpCloud integration, please read over our Understanding SAML/SSO article to learn basic concepts and useful tips.
In order to get started with the setup of SSO with JumpCloud, you will need:
- JumpCloud account with admin permissions.
- Admin or super-admin user role within Hudu.
- All users are provisioned in JumpCloud with the same exact email address. We don't create new user accounts with SSO.
- Ensure that the users have already been created in Hudu before starting this process.
Guides
How to Enable SSO
- Login to Hudu and click the Admin tab on the top toolbar.
- Click General.
- Click Configure Single Sign-On.
- Enter SAML details. See the relevant section below on how to fill this information out.
- Click Enable Single Sign-On.
- Hit Update SAML Details and SAML should now be activated.
Configuring JumpCloud
-
- In JumpCloud, as an administrator:
- Navigate to the JumpCloud Admin >> SSO >> (( + ))
- At the bottom of the panel, click Can't Find an Application >> Custom SAML App.
- In JumpCloud, as an administrator:
- Under General Info, give the app a name and an optional description.
- In the SSO tab, Enter the following in the fields:
-
IdP Entity ID: Enter your Hudu URL;
- e.g. https://docs.mywebsite.com
-
SP Identity ID: Enter your Hudu URL;
- e.g. https://docs.mywebsite.com
- ACS URL: Enter https://docs.mywebsite.com/saml/consume
- Sign-on URL: Enter https://docs.mywebsite.com
- Default Relay State: You can skip filling this in.
- SAML Subject NameID: Email
- Signature Algorithm: RSA-SHA1
- SAML Subject NameID Format: Choose EmailAddress
- Logout URL: Enter a URL where Hudu can redirect users after they sign out.
- Make sure to replace docs.mywebsite.com with your URL and subdomain. There is also no trailing slash at the end of the URL.
-
IdP Entity ID: Enter your Hudu URL;
Assign a user group with users that have MATCHING emails in Hudu.
Configuring Hudu
- In Hudu, with a user role of Admin or Super Admin:
- Navigate to your Hudu admin area >> General >> SAML/SSO Configure.
- Provide Identity Provider (IdP) information:
- SAML Issuer URL: This will be what JumpCloud calls their "IDP Identity ID". Copy this exactly into Hudu.
- SAML Login URL: This will be what JumpCloud calls their "IDP URL". Copy this exactly into Hudu.
- SAML Logout URL: This will also be what JumpCloud calls their "IDP URL". Copy this exactly into Hudu.
-
SAML Fingerprint:
- To ensure that you are obtaining the correct fingerprint (thumbprint) for your algorithm:
- Copy the certificate.
- Paste the certificate into a tool such as https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
- Choose either SHA-1 or SHA-256 as the algorithm.
- If choosing SHA-256, you will also need to ensure that the 'Use SHA-256' option is checked (in the Hudu SAML setup area).
- Copy either the non-formatted or formatted fingerprints provided and paste them into Hudu SAML Fingerprint.
- To ensure that you are obtaining the correct fingerprint (thumbprint) for your algorithm:
-
SAML Certificate: This is provided by JumpCloud, and should be the same certificate used to configure the fingerprint; copy this exactly.
- -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.
- Copy the X.509 Certificate field and paste it into the SAML Certificate field. Make sure there is no extra space trailing at the end!
-
SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to log in (i.e. via password, passwordless, etc.).
-
- If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
- Requested Authentication Context may be required for your IdP; but it is typically optional.
- If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
- If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
- If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
- If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
-
- Click Enable Single Sign-On.
- Hit Update SAML Details and SAML should now be activated.
Testing SAML
Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully log in via this button, your SAML is working!
Disable Password Access for non-Admins
You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking "Disable Password Access for non-Admins"; all users below admin will have to exclusively use single sign-on to access your Hudu environment.
Admins will be able to access via an admin sign-in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.