Add JumpCloud SAML

backend/src/ee/models/ssoConfig.ts

@@ -2,7 +2,8 @@ import { Schema, Types, model } from "mongoose";
 
 export enum AuthProvider {
     OKTA_SAML = "okta-saml",
-    AZURE_SAML = "azure-saml"
+    AZURE_SAML = "azure-saml",
+    JUMPCLOUD_SAML = "jumpcloud-saml"
 }
 
 export interface ISSOConfig {

backend/src/models/user.ts

@@ -3,7 +3,9 @@ import { Document, Schema, Types, model } from "mongoose";
 export enum AuthProvider {
 	EMAIL = "email",
 	GOOGLE = "google",
-	OKTA_SAML = "okta-saml"
+	OKTA_SAML = "okta-saml",
+	AZURE_SAML = "azure-saml",
+	JUMPCLOUD_SAML = "jumpcloud-saml",
 }
 
 export interface IUser extends Document {

backend/src/utils/auth.ts

@@ -141,7 +141,17 @@ const initializePassport = async () => {
           ssoConfigId: new Types.ObjectId(ssoIdentifier)
         });
         
-        const samlConfig = ({
+        interface ISAMLConfig {
+          path: string;
+          callbackURL: string;
+          entryPoint: string;
+          issuer: string;
+          cert: string;
+          audience: string;
+          wantAuthnResponseSigned?: boolean;
+        }
+        
+        const samlConfig: ISAMLConfig = ({
           path: `/api/v1/sso/saml2/${ssoIdentifier}`,
           callbackURL: `${await getSiteURL()}/api/v1/sso/saml2${ssoIdentifier}`,
           entryPoint: ssoConfig.entryPoint,
@@ -150,6 +160,10 @@ const initializePassport = async () => {
           audience: await getSiteURL()
         });
         
+        if (ssoConfig.authProvider === AuthProvider.JUMPCLOUD_SAML) {
+          samlConfig.wantAuthnResponseSigned = false;
+        }
+        
         req.ssoConfig = ssoConfig;
 
         done(null, samlConfig);

docs/documentation/platform/sso/azure.mdx

@@ -16,7 +16,7 @@ description: "Configure Azure SAML for Infisical SSO"
 ![Azure SAML new application](../../../images/sso/azure/new-application.png)
 
 2. On the next screen, press the **+ Create your own application** button.
-   Give the application a unique, Infisical-specific name; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
+   Give the application a unique name like Infisical; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
    option and hit the **Create** button.
 
 ![Azure SAML create own application](../../../images/sso/azure/create-own-application.png)
@@ -74,11 +74,11 @@ Having trouble?, try copying the X509 certificate information from the Federatio
 
 7. Assignments
 
-Finally, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
+Back in Azure, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
 ![Azure SAML assignment](../../../images/sso/azure/assignment.png)
 
 8. Return to Infisical and enable SAML SSO.
 
 Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Azure.
 
-![SAML Okta assignment](../../../images/sso/azure/enable-saml.png)
+![Azure SAML assignment](../../../images/sso/azure/enable-saml.png)

docs/documentation/platform/sso/jumpcloud.mdx

@@ -3,4 +3,65 @@ title: "JumpCloud SAML"
 description: "Configure JumpCloud SAML for Infisical SSO"
 ---
 
-Coming soon.
+1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+   Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
+
+![JumpCloud SAML initial configuration](../../../images/sso/jumpcloud/init-config.png)
+
+2. In the JumpCloud Admin Portal, navigate to User Authentication > SSO and create an application. If this is your first application, select **Get Started**;
+   if not, select **+Add New Application**
+
+![JumpCloud SAML new application](../../../images/sso/jumpcloud/new-application.png)
+
+3. Next, select **Custom SAML App** to open up the **New SSO** dialog.
+
+![JumpCloud custom SAML app](../../../images/sso/jumpcloud/custom-saml-app.png)
+
+4. In the **General Info** tab, give the application a unique name like Infisical.
+
+![JumpCloud general info](../../../images/sso/jumpcloud/general-info.png)
+
+5. In the **SSO** tab, set the **SP Entity ID** and **ACS URL** from step 1; set the **IdP Entity ID** to the same value as the **SP Entity ID**.
+
+![JumpCloud edit basic config](../../../images/sso/jumpcloud/edit-basic-config.png)
+
+6. On the same tab, check the **Sign Assertion** checkbox and fill the **IDP URL** to something unique.
+   Copy the **IDP URL** to use when finishing configuring the JumpCloud SAML in Infisical.
+
+![JumpCloud edit basic config 2](../../../images/sso/jumpcloud/edit-basic-config-2.png)
+
+7. On the same tab, in the **Attributes** section, configure the following map:
+
+- `email -> email`
+- `firstName -> firstname`
+- `lastName -> lastname`
+
+![JumpCloud attribute statements](../../../images/sso/jumpcloud/attribute-statements.png)
+
+Finally press activate to create the SAML application.
+
+8. Next, select the newly created SAML application and select **Download certificate** under the **IDP Certificate Valid** dropdown
+
+![JumpCloud download certificate](../../../images/sso/jumpcloud/download-saml-certificate.png)
+
+9. Back in Infisical, set the **IDP URL** from step 6 and the **IdP Entity ID** from step 5. Also, paste the certificate from the previous step.
+
+![JumpCloud IdP values](../../../images/sso/jumpcloud/idp-values.png)
+
+<Note>
+  When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
+  CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
+  of the text area respectively.
+</Note>
+
+10. Assignments
+
+Back in JumpCloud, navigate to the **User Groups** tab and assign users to the newly created application.
+
+![JumpCloud SAML assignment](../../../images/sso/jumpcloud/assignment.png)
+
+11. Return to Infisical and enable SAML SSO.
+
+Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via JumpCloud.
+
+![JumpCloud SAML assignment](../../../images/sso/jumpcloud/enable-saml.png)

docs/documentation/platform/sso/okta.mdx

@@ -3,10 +3,6 @@ title: "Okta SAML"
 description: "Configure Okta SAML 2.0 for Infisical SSO"
 ---
 
-Prerequisites:
-
-- Okta Developer Account with access to create custom application integrations.
-
 1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
    Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
 

docs/documentation/platform/sso/overview.mdx

@@ -4,9 +4,10 @@ description: "Log in to Infisical via SSO protocols"
 ---
 
 <Warning>
-  Infisical currently only supports SAML SSO authentication with Okta and Azure
-  AD. We're expanding support for other IdPs in the coming months, so stay tuned
-  with this issue [here](https://github.com/Infisical/infisical/issues/442).
+  Infisical currently has confirmed support for SAML SSO authentication with
+  Okta, Azure AD, and JumpCloud. We're expanding support for other IdPs in the
+  coming months, so stay tuned and feel free to request a IdP at this
+  [issue](https://github.com/Infisical/infisical/issues/442).
 </Warning>
 
 You can configure your organization in Infisical to have members authenticate with the platform via protocols like [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0).
@@ -16,3 +17,4 @@ your IdP cannot and will not have access to the decryption key needed to decrypt
 
 - [Okta SAML](/documentation/platform/sso/okta)
 - [Azure SAML](/documentation/platform/sso/azure)
+- [JumpCloud SAML](/documentation/platform/sso/jumpcloud)

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx

@@ -15,7 +15,8 @@ import { SSOModal } from "./SSOModal";
 
 const ssoAuthProviderMap: { [key: string]: string } = {
     "okta-saml": "Okta SAML",
-    "azure-saml": "Azure SAML"
+    "azure-saml": "Azure SAML",
+    "jumpcloud-saml": "JumpCloud SAML"
 }
 
 export const OrgSSOSection = (): JSX.Element => {

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/SSOModal.tsx

@@ -23,12 +23,14 @@ import { UsePopUpState } from "@app/hooks/usePopUp";
 
 enum AuthProvider {
     OKTA_SAML = "okta-saml",
-    AZURE_SAML = "azure-saml"
+    AZURE_SAML = "azure-saml",
+    JUMPCLOUD_SAML = "jumpcloud-saml"
 }
 
 const ssoAuthProviders = [
     { label: "Okta SAML", value: AuthProvider.OKTA_SAML },
-    { label: "Azure SAML", value: AuthProvider.AZURE_SAML }
+    { label: "Azure SAML", value: AuthProvider.AZURE_SAML },
+    { label: "JumpCloud SAML", value: AuthProvider.JUMPCLOUD_SAML }
 ];
 
 const schema = yup.object({
@@ -144,6 +146,16 @@ export const SSOModal = ({
                     issuer: "Azure AD Identifier",
                     issuerPlaceholder: "https://sts.windows.net/xxx/"
                 });
+            case AuthProvider.JUMPCLOUD_SAML:
+                return ({
+                    acsUrl: "ACS URL",
+                    entityId: "SP Entity ID",
+                    entryPoint: "IDP URL",
+                    entryPointPlaceholder: "https://sso.jumpcloud.com/saml2/xxx",
+                    issuer: "IdP Entity ID",
+                    issuerPlaceholder: "xxx"
+                });
+                
             default:
                 return ({
                     acsUrl: "ACS URL",