Single Sign-On with JumpCloud (SAML)

By Andrew Merrick

Learn how to configure JumpCloud as a SAML-based identity provider

Create a SAML Connection 

  1. In Kandji, navigate to the Settings page.

  2. Click the Access tab.

  3. Find the Authentication section and click the Add button on the bottom left of the authentication section. (If that section does not appear, SSO is not enabled for your instance.)

  4. In the Add SSO Connection pane, select the Custom SAML option.

  5. Click Next.

  6. Select Show Advanced Details.

  7. Copy the Assertion Consumer Service URL and save it in a text document for later use.

  8. Copy the Entity ID and save it too.

  9. Leave this browser tab open as you proceed with the instructions below. 

Add the Kandji Application to JumpCloud

  1. Log in to and, in the lefthand nav bar's User Authentication section, select SSO.

  2. Click on the circular + button.

  3. At the bottom of the screen, click Custom SAML App.

  4. On the General Info tab:

    1. Add a name for the Display Label.

    2. For the Display Option, choose either a Color Indicator or upload a Logo (optional).

  5. On the SSO tab:

    1. Copy the Entity ID from Kandji that you saved earlier and paste it into the IdP Entity ID and SP Entity ID fields in JumpCloud.

    2. Copy the Assertion Consumer Service URL from Kandji that you saved earlier and paste it into the ACS URL field.

    3. Leave the SAML Subject NameID set to email.

    4. In the SAMLSubject NameID-Format field, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from the dropdown menu.

    5. Set the Signature Algorithm to RSA-SHA256.

    6. Select Sign Assertion.

    7. Set the IDP URL to Copy this URL and save it for use in Kandji later.

    8. Click Activate.

  6. When prompted to confirm the SSO instance, click Continue.

  7. Once activated, you should see a notification in JumpCloud letting you know that a public certificate has been created. Download this certificate; it will be used in Kandji later.

    • If this notification does not appear, you can grab the certificate as follows:

      1. Select the custom app that you just created.

      2. On the left side of the panel that appears, click on IDP Certificate Valid.

      3. Select Download Certificate.

  8. On the User Groups tab:

    1. Add a user group to the SSO application. If you want to narrow the scope of who is able to access the SSO app, create another user group in your JumpCloud console then assign it to the SSO app. 

Configure the SAML Connection in Kandji

  1. Go back to the Custom SAML integration in Kandji.

  2. Give the connection a Name.

  3. Paste in the Sign In URL you copied from JumpCloud: .

  4. Upload the certificate you downloaded from JumpCloud.

  5. Ensure that the User ID Attribute is set to the default value of
  6. Ensure that Sign Request is set to Yes.

  7. Ensure that Request Algorithm is set to RSA-SHA256.

  8. Ensure that Sign Request Algorithm Digest is set to SHA 256.

  9. Set the Protocol Binding to HTTP-POST.

  10. Click Save and then click Cancel to exit the configuration.

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-on support article for step-by-step instructions. 

Enforcing Single Sign-on

Once you have configured at least one Single Sign-on connection, you can disable the standard authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authenticate via email/password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-on support article for step-by-step instructions.

Add a Test User to Kandji

  1. Add a test user to the Admin Team in Kandji by clicking New User

  2. Fill in all of the corresponding user information. This user must exist in Okta and must be assigned to the Okta SSO app in your Okta tenant

  3. Click Submit

  4. Once the invite is submitted, close the Invite User window

  5. Refresh the Access page in Kandji. You should see the user who was just added

  6. Go to the user’s email to accept the invite and log in with the new SAML SSO connection