Log in with JumpCloud
This source lets users authenticate with their JumpCloud credentials by configuring JumpCloud as a federated identity provider using SAML or OpenID Connect (OIDC).
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.jumpcloud-slugis the slug to assign to the source in authentik (for example,jumpcloud).
Configuration methods
You can integrate JumpCloud with authentik using either SAML or OpenID Connect (OIDC). Select a tab below for the corresponding instructions.
- SAML
- OIDC
SAML
JumpCloud configuration
To integrate JumpCloud with authentik, create a custom SAML application in the JumpCloud Admin Portal.
-
Log in to the JumpCloud Admin Portal as an administrator.
-
Navigate to Access > SSO Applications and click Add New Application.
-
Select Custom Application and click Next.
-
Under Manage Single Sign-On (SSO), select Configure SSO with SAML, then click Next.
-
Set the Display Label to
authentikand click Save Application, then click Configure Application. -
On the SSO tab, configure the following settings:
- SP Entity ID:
https://authentik.company/source/saml/jumpcloud/metadata/ - ACS URL:
https://authentik.company/source/saml/jumpcloud/acs/ - SAMLSubject NameID:
email - SAMLSubject NameID Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- SP Entity ID:
-
Open the application's User Groups tab, check the All Users group.
-
Click Save in the bottom right to create the application.
-
On the SSO tab, note the IDP URL (
https://sso.jumpcloud.com/saml2/authentik) and the SAML Metadata URL (https://sso.jumpcloud.com/saml2/metadata/authentik). Both are used in the next section.
authentik configuration
To support the integration of JumpCloud with authentik, you need to import the JumpCloud signing certificate and create a JumpCloud SAML source in authentik.
Import the JumpCloud certificate
JumpCloud does not offer a direct certificate download; the signing certificate is embedded in the application's SAML metadata. You need to extract it and wrap it in PEM markers before importing it into authentik.
-
Open the JumpCloud SAML Metadata URL (
https://sso.jumpcloud.com/saml2/metadata/authentik) in a browser. -
Locate the
<X509Certificate>element inside the<md:KeyDescriptor use="signing">block and copy its contents (the value between the opening and closing tags). -
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to System > Certificates and click Create.
-
Provide a name (for example,
JumpCloud SAML) and paste the copied value into the Certificate field, manually adding the PEM header and footer lines so that it matches the following format:-----BEGIN CERTIFICATE-----<X509Certificate content copied from the JumpCloud metadata>-----END CERTIFICATE----- -
Leave the Private Key field empty and click Create.
Create a SAML source in authentik
-
Navigate to Directory > Federation and Social login and click New Source.
-
Select SAML Source and configure the following settings:
- Set Name to
jumpcloud. - Set Slug to
jumpcloud(this must match the<jumpcloud-slug>used in the SP Entity ID and ACS URL above). - Set SSO URL to
https://sso.jumpcloud.com/saml2/authentik. - Set Binding Type to
Post-auto Binding. - Set Verification Certificate to the
JumpCloud SAMLcertificate imported above, so authentik validates the signature on incoming responses. - Uncheck Verify Assertion Signature.
- Check Verify Response Signature.
infoJumpCloud signs the SAML response rather than the individual assertion, so these two options must be inverted from their defaults. If they are left at their defaults, signature verification fails.
- Set Name to
-
Click Finish.
OIDC
JumpCloud configuration
To integrate JumpCloud with authentik, create a custom OIDC application in the JumpCloud Admin Portal.
-
Log in to the JumpCloud Admin Portal as an administrator.
-
Navigate to Access > SSO Applications and click Add New Application.
-
Select Custom Application and click Next.
-
Under Manage Single Sign-On (SSO), select Configure SSO with OIDC, then click Next.
-
Set the Display Label to
authentikand click Save Application, then click Configure Application. -
On the SSO tab, configure the following settings:
- Redirect URIs:
https://authentik.company/source/oauth/callback/jumpcloud/ - Client Authentication Type:
Client Secret Basic - Grant Types: leave Authorization Code selected (the default).
- Under Attribute Mapping, enable the
emailandprofilescopes so those claims are returned.
- Redirect URIs:
-
Open the application's User Groups tab, check the All Users group.
-
Click Save in the bottom right to create the application.
-
After saving, JumpCloud will display a popup with the Client ID and Client Secret. Both are required in the next section.
authentik configuration
To support the integration of JumpCloud with authentik, create a JumpCloud OpenID Connect source in authentik.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Directory > Federation and Social login and click New Source.
-
Select OpenID Connect OAuth Source and configure the following settings:
- Set Name to
jumpcloud. - Set Slug to
jumpcloud(this must match the<jumpcloud-slug>used in the redirect URI above). - Under Protocol settings:
- Set Consumer key to the Client ID from JumpCloud.
- Set Consumer secret to the Client Secret from JumpCloud.
- Under URL settings:
- Set Authorization URL to
https://oauth.id.jumpcloud.com/oauth2/auth. - Set Access Token URL to
https://oauth.id.jumpcloud.com/oauth2/token. - Set Profile URL to
https://oauth.id.jumpcloud.com/userinfo. - Set OIDC Well-known URL to
https://oauth.id.jumpcloud.com/.well-known/openid-configuration. - Set OIDC JWKS URL to
https://oauth.id.jumpcloud.com/.well-known/jwks.json.
- Set Authorization URL to
Regional endpointsThe URLs above are for the US region. For the EU or IN regions, replace
oauth.id.jumpcloud.comwithoauth.id.eu.jumpcloud.comoroauth.id.in.jumpcloud.com. - Set Name to
-
Click Finish.
For instructions on how to display the new source on the authentik login page, refer to the Add sources to default login page documentation.
Source property mappings
Source property mappings allow you to modify or gather extra information from sources. See the overview for more information.