JumpCloud, SAML 2.0, and SCIM

Setting up Zeplin with JumpCloud's Single Sign-On

Rian avatar
Written by Rian
Updated over a week ago

JumpCloud is a Directory-as-a-Service. Zeplin's SAML SSO and user provisioning with SCIM are confirmed to work with JumpCloud.

☝️ This feature is only available to teams on the Enterprise Plan.

Before you begin

JumpCloud does not generate application details (needed by Zeplin) until it has Zeplin-generated values (which need JumpCloud data to generate). You will need to contact us at success@zeplin.io to have us manually generate and supply your specific SSO URL and SP EntityID.

Configuration

In JumpCloud:

  • Select SSO in the main navigation panel in the User Authentication section.

  • Click the “+” button to create a new Application, and select the [ Custom SAML App ] button at the bottom of the page

  • On the General Info tab, add a name for this application

  • On the SSO tab

    • Enter a unique IdP Entity ID according to your company’s standards

    • Enter the SP EntityID we gave you into the JumpCloud field SP Entity ID

    • Enter the SSO URL we gave you into the JumpCloud field ACS URL

  • Choose and complete the IDP URL according to your company’s standards.

  • Under Attributes > User Attribute Mapping, click [ add attribute ] to add a new attribute:

    • Service Provider Attribute Name: email

    • JumpCloud Attribute Name: email

  • Click on [ activate ]

  • Download the certificate it creates

In Zeplin:

  • From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab.

  • In the SAML 2.0 section, click on the “Enable” button

  • In the Zeplin popup:

    • Copy the full string from the JumpCloud field IDP URL into the Zeplin field IdP SAML 2.0 Endpoint

    • Copy the string from the JumpCloud field IDP ENTITY ID into the Zeplin field IDP Issuer

    • Copy the contents of the JumpCloud public certificate file you generated into the Zeplin field IdP Public Certificate

    • Optional: If you want JumpCloud to check the signature on Zeplin's requests, click on Download SAML 2.0 metadata and upload it into your JumpCloud configuration, which will include Zeplin's SP certificate.

  • Click on the “Enable” button

  • Click on the “Download SAML 2.0 metadata

Back in JumpCloud:

  • Click on the “Upload metadata” button and upload the file just downloaded from Zeplin

    • This step is to upload Zeplin's signing certificate. Alternatively you can upload this certificate via the "Replace SP Certificate" button if we have supplied the certificate directly - reach out to us if you would prefer to do it this way

  • Click on [ save ]

Confirm everything works!

Go to the Zeplin login page, and click the link that says Login with SSO (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your Ping IdP to authenticate, then back to that user's Project page.

Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing JumpCloud user group that will need to be assigned to the Application. Click on Groups from the main menu, and view a group's Applications. Select the appropriate group, and assign the Zeplin application and specific users if required.

Finishing Up

  • When it is confirmed users can log in with SAML, you can restrict login to be via SAML only for all users in your domain by setting Require SSO on the AUTHENTICATION tab in Zeplin.
    - Don't Require: Users can continue to log in with username/password or SSO
    - Require for All Members: Users in your domain who try to log in with username/password will be redirected to your IdP instead.
    For safety, the Owner will still be able to log in using their username/password even if this option is set to Require.

  • You can specify a Session timeout. Zeplin will check with your IdP at the shorter period of this setting and the Session Duration as sent by your IdP (if it sends one) to verify the user is still authenticated.

  • You can choose to Allow inviting users from different domains. If not ticked, only users with an email address in your domain will be permitted to be invited to the Workspace.

User Provisioning with SCIM

JumpCloud can autoprovision users in Zeplin using the SCIM protocol. See the article User Provisioning With SCIM for configuration information. In JumpCloud, the SCIM integration is configured and enabled on the Identity Management tab.

Extra information for JumpCloud users

  • When it is confirmed users can log in with SAML, you can restrict login to be via via SAML only for all users by selecting this option from the AUTHENTICATION tab in Zeplin. For safety, the Owner will still be able to log in using their username/password after this option is set.

  • JumpCloud does not send the session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the duration chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default value is to never log out the user.

  • JumpCloud can sign either the Assertion or Response. Zeplin will enforce a valid signature against the JumpCloud-generated IdP Public Certificate.

  • JumpCloud does not support encrypted Assertions. Zeplin will accept unencrypted assertions.


Did this answer your question?