# Set up SSO using SAML All Cerby users are able to configure a default Identity Provider (IdP) such as JumpCloud to leverage the Single Sign-On (SSO) authentication feature to securely authenticate using a single set of credentials. JumpCloud uses a Security Assertion Markup Language (SAML) application to integrate with other service providers easily. In this case, the integration is with Amazon Cognito, and the SAML application is customized and points to a specific Cerby workspace. This article describes how to configure JumpCloud as the primary IdP to enable SSO with the Cerby platform using a SAML integration. *** ## Supported features The following are the supported features of configuring SSO between Cerby and JumpCloud with SAML: * **Service provider-initiated authentication flow:** This authentication flow occurs when users attempt to log in to the application from Cerby. * **Automatic user account creation in Cerby:** This provisioning flow in Cerby occurs automatically on the initial SSO. *** ## Requirements The following are the requirements to configure SSO between Cerby and JumpCloud: * You must have administrator access to a JumpCloud tenant account. * You must have an internal JumpCloud user who can get an application assigned via groups. * You must have a user group to assign the application to. This group must have users already assigned as members. * You must have received an invitation from Cerby Support via email to create a workspace. **IMPORTANT:** If you have not received an invitation, send an email to with your request. *** ## Configuring SSO between Cerby and JumpCloud with SAML To configure SSO between Cerby and JumpCloud with a SAML integration, you must complete four main steps: 1. [Set up a workspace in Cerby](#id-1.-set-up-a-workspace-in-cerby) 2. [Create an application in JumpCloud](#id-2.-create-an-application-in-jumpcloud) 3. [Configure the connection settings](#id-3.-configure-the-connection-settings) 4. [Finish the workspace creation in Cerby](#id-4.-finish-the-workspace-creation-in-cerby) The following sections describe each step. ### 1. Set up a workspace in Cerby To set up a workspace in Cerby, complete the following steps: 1. Click the **Create your Workspace** button from the invitation email. The **Welcome to Cerby** page is displayed, as shown in **Figure 1**.

Figure 1. Welcome to Cerby Page

2. Click the **Set up Generic SAML** button. The **Let's create your workspace** page is displayed. 3. Enter the name of your workspace in the **Workspace name** field, as shown in **Figure 2**. For example, **Contentzilla**.

Figure 2. Let's Create Your Workspace Page

**NOTE:** Remember the workspace name that you have entered. You need it later. 4. Click the **Create Workspace** button. The **Configure SSO through Your Generic SAML App** page is displayed, as shown in **Figure 3**. This page contains information to configure the Cerby application in your JumpCloud tenant.

Figure 3. Configure SSO through Your Generic SAML App Page

**IMPORTANT:** Keep the **Configure SSO through Your Generic SAML App** page open because it contains the required values that you must provide to JumpCloud and Cerby to complete the configuration. The next step is [2. Create an application in JumpCloud](#id-2.-create-an-application-in-jumpcloud), which you must complete from JumpCloud. *** ### 2. Create an application in JumpCloud To create an application in JumpCloud, complete the following steps: 1. Log in to the [JumpCloud Console](https://console.jumpcloud.com/login/admin) as an administrator. 2. Click the **SSO** button from the **USER AUTHENTICATION** drop-down list located in the left navigation drawer. The **SSO** page is displayed, as shown in **Figure 4**.

Figure 4. SSO Page

3. Click the **Add app** icon located to the left of the **Search** bar. The **Configure New SSO Application** dialog box is displayed, as shown in **Figure 5**.

Figure 5. Configure New SSO Application Dialog Box

4. Click the **Custom SAML App** button located at the bottom of the dialog box. The **New Application** dialog box is displayed with the **General Info** tab activated, as shown in **Figure 6**.

Figure 6. General Info Tab in the New Application Dialog Box

5. Enter a name for your JumpCloud SAML application in the **Display Label** field. For example, **Cerby SAML Contentzilla**. The next step is [3. Configure the connection settings](#id-3.-configure-the-connection-settings), which you must complete from the **New Application** dialog box. *** ### 3. Configure the connection settings To configure the connection settings of the SAML application with Cerby, complete the following steps: 1. Activate the **SSO** tab, as shown in **Figure 7**.

Figure 7. SSO Tab in the New Application Dialog Box

2. Enter the following information in the corresponding fields: * Enter **`https://jumpcloud.com`** in the **IdP Entity ID** field. * Enter the corresponding values in the **SP Entity ID** and **ACS URL** fields from the **Configure SSO through Your Generic SAML App** page that you left open. 3. Select the **Declare Redirect Endpoint** option located below on the page. 4. Enter the attribute metadata required by Amazon Cognito by performing the following actions: 1. Click three times the **add attribute** button of the **USER ATTRIBUTE MAPPING** field located at the bottom of the dialog box in the **Attributes** section. The **Service Provider Attribute Name** field and **JumpCloud Attribute Name** drop-down list are displayed with three rows, as shown in **Figure 8**.

Figure 8. Attributes Section

2. Select the **email** option from the **JumpCloud Attribute Name** drop-down list in the first row. 3. Enter **`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`** in the **Service Provider Attribute Name** field for the first row. 4. Select the **lastname** option from the **JumpCloud Attribute Name** drop-down list in the second row. 5. Enter **`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`** in the corresponding **Service Provider Attribute Name** field for the second row. 6. Select the **firstname** option from the **JumpCloud Attribute Name** drop-down list in the third row. 7. Enter **`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`** in the corresponding **Service Provider Attribute Name** field for the third row. 5. Activate the **User Groups** tab, as shown in **Figure 9**.

Figure 9. User Groups Tab in the New Application Dialog Box

6. Select the option of the user group you want to assign the SAML application. 7. Click the **activate** button located at the bottom of the dialog box. The **Please confirm your new SSO connector instance** dialog box is displayed. 8. Click the **continue** button. The dialog box closes, and the **SSO** page is displayed with the SAML application you added recently and a success message box. 9. Open the SAML application you added. The **SAML 2.0** dialog box is displayed. 10. Activate the **SSO** tab, as shown in **Figure 10**.

Figure 10. SSO Tab in the SAML 2.0 Dialog Box

11. Click the **Export Metadata** button below the **JumpCloud Metadata** field. An XML metadata file is automatically downloaded to your computer. The next step is [4. Finish the workspace creation in Cerby](#id-4.-finish-the-workspace-creation-in-cerby). *** ### 4. Finish the workspace creation in Cerby To finish the workspace creation in Cerby, complete the following steps from the **Configure SSO through Your Generic SAML App** page that you left open: 1. Upload the XML that you downloaded recently. The name of the file is displayed below the **Metadata XML file** field when it is uploaded. **TIP:** You can drag the file from another window or click the button below the **Metadata XML file** field to look for the file on your computer. 2. Select the **I have already assigned users or groups to the application** option located in the **4. Assign People or Groups** section. 3. Click the **Finish Configuration** button located at the bottom of the page. The **Your Workspace** page is displayed confirming that your workspace has been created successfully. 4. Click the **Login** button. The login page of JumpCloud is displayed. 5. Authenticate with the credentials (email address and password) you use for JumpCloud. The Cerby dashboard is displayed. Now you are done. {% hint style="danger" %} **IMPORTANT:** Currently, after creating a workspace, you cannot change its name or update the IdP settings. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.cerby.com/setup-and-admin/workspace-identity-federation/jumpcloud/configure-sso-between-cerby-and-jumpcloud-with-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.