Jumpcloud (SAML)
JumpCloud provides Directory-as-a-Service ↗ to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. This documentation from JumpCloud ↗ can help you configure applications within your JumpCloud deployment.
These steps focus on requirements specific to Cloudflare Zero Trust.
Set up Jumpcloud SAML
To set up JumpCloud SAML as your identity provider:
-
Generate a SAML certificate.
Tip: JumpCloud requires that you provide your own certificates for signing SAML assertions. Self-signed certificates are acceptable.
If you do not have a certificate, this command generates one using OpenSSL:
When asked to enter a Distinguished Name or a DN to incorporate into your certificate request, you can leave some of these fields blank. Some fields have a default value. Enter a dot (
.
) in the field to leave it blank. For example: -
In JumpCloud, select Applications in the left-side menu.
-
Select the + icon at the top-left of the screen to add an application.
-
Choose the SAML option in Application Types.
-
Enter an application name in Display Label.
-
Enter an IdP entity in the IDP IDENTITY ID field.The IdP entity can be anything, but must be unique. We suggest you reference something identifiable, such as your Cloudflare team domain (
https://<your-team-name>.cloudflareaccess.com/
). -
At the prompt, enter the IdP private key and IdP certificate you previously generated.
-
Set both the SP entity ID and ACS URL to the following callback URL:
You can find your team name in Zero Trust under Settings > Custom Pages.
-
Under SAML SUBJECT NAMEID, choose email.
-
Set the SAML SUBJECT NAMEID FORMAT to:
-
Under USER ATTRIBUTES enter
email
for the name andemail
for the value. -
Leave other settings at default.
-
Select save. Remember to assign this application to users or groups.
-
In Zero Trust, go to Settings > Authentication.
-
Under Login methods, select Add new.
-
Select SAML.
-
Input a Name, a Single Sign on URL, IdP Entity ID or Issuer URL, and Signing Certificate.
-
Select Save.
To test that your connection is working, go to Authentication > Login methods and select Test next to the login method you want to test.