JumpCloud SAML SSO

Learn how to create a JumpCloud custom SAML application for Doppler SSO.

Requirements

  • Workplace domain verified (Settings page)
  • JumpCloud account with access to create Custom SAML Apps

1. Initial Doppler SAML SSO Configuration

Go to the Doppler dashboard and from the menu click Team, then select the Settings tab from the top menu. Choose the Default Roles for users who login via SSO.

πŸ“˜

The Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. Users with the Owner role can adjust this after the user has logged in once. If you scroll down further on the Settings page, you'll see a breakdown of what permissions each Role has.

12011201

After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the JumpCloud SAML SSO application.

Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the + button in the corner and choose a verified domain from the Domain Domain dropdown menu and then click Save.

923923

Copy the ACS URL and Entity ID URLs to use when configuring the JumpCloud SAML SSO application.

931931

2. Create SAML Application

In a separate window, browse to your JumpCloud dashboard and select SSO from the main menu under the User Authentication section, then click the large + button. In the window that appears, click the Custom SAML App button.

13171317

Select the General Info tab on the New Application form and name the application. Optionally, upload the Doppler logo as well.

848848

3. JumpCloud SAML Configuration

Click the SSO tab to proceed to the SAML Settings page. Populate the form with the URLs obtained from the Doppler SAML Single Sign-On setup page in Step 1 above. They will look similar to the following:

❗️

These are example URLs only and will not work in your setup. You need to use the URLs obtained from the Doppler SAML Single Sign-On setup page referenced in Step 1 above.

865865

Set the SAMLSubject NameID field to email and the SAMLSubject NameID Format field to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

862862

Ensure the Declare Redirect Endpoint checkbox is enabled and set the IDP URL field to doppler.

886886

Then scroll to the Attribute section and click the add attribute button. Set Service Provider Attribute Name to name and JumpCloud Attribute Name to fullname (we're using fullname in this example, but you should set this to whatever attribute you want imported into Doppler as the user's display name).

861861

Finally, scroll down to the bottom of the page and click the activate button. You'll get a warning that the IDP URL won't be modifiable after you activate the application. Go ahead and click the continue button to acknowledge the warning.

Click on your Doppler application in the SSO application list and then click on the SSO tab. Next, click the Export Metadata button.

906906

4. Update Doppler SAML SSO Configuration

Navigate to the Doppler Team page and click on the SSO tab.

Scroll down to the SAML Single Sign-On section and paste in the XML metadata you downloaded at the end of Step 3 above. Check the Enable field, then click the Save button.

934934

You're now ready to test the JumpCloud application!

5. Testing

As a JumpCloud administrator, it's presumed you'll know how to sufficiently test a new JumpCloud application, but here is a general guide.

πŸ“˜

Test sign-in flow using incognito window

Be sure to stay signed in to the Doppler dashboard until you've verified the JumpCloud sign-in flow from an incognito window.

Staying signed in to the dashboard will allow you to update the SAML settings or disable SAML SSO in the event of misconfiguration.

Click on the User Groups tab for the Doppler application and choose any groups you want to grant access to. Click the save button when you're done.

951951

Now test the Doppler SAML sign-in flow by opening an incognito window and signing in to JumpCloud using a user from one of the groups you assigned to the application.

Click on the Doppler application to initiate the sign-in process.

575575

You should then be redirected to the Doppler dashboard for the assigned user.

Once you've verified the Doppler SAML application is configured correctly, you can then apply your standard organization policies for people and groups assignment.

Troubleshooting

Here are some general troubleshooting tips:

  • Double-check that the IdP Entity ID, SP Entity ID, and ACS URL values match exactly what is displayed in the Doppler SAML section.
  • Check that the SAMLSubject NameID Format and SAMLSubject NameID values are correct.
  • Ensure that the name attribute has been added to the Attributes section.

If you're still running into issues, the error page should present you with a requestId value that can be used by our support team for further diagnosis.

πŸ‘

Awesome Work!

Your custom JumpCloud Doppler SAML 2.0 application is now set up!


Did this page help you?