diff --git a/backend/src/ee/models/ssoConfig.ts b/backend/src/ee/models/ssoConfig.ts
index 12f695b79e..b591b8817a 100644
--- a/backend/src/ee/models/ssoConfig.ts
+++ b/backend/src/ee/models/ssoConfig.ts
@@ -2,7 +2,8 @@ import { Schema, Types, model } from "mongoose";
export enum AuthProvider {
OKTA_SAML = "okta-saml",
- AZURE_SAML = "azure-saml"
+ AZURE_SAML = "azure-saml",
+ JUMPCLOUD_SAML = "jumpcloud-saml"
}
export interface ISSOConfig {
diff --git a/backend/src/models/user.ts b/backend/src/models/user.ts
index 6559b1b7e7..0332f05eee 100644
--- a/backend/src/models/user.ts
+++ b/backend/src/models/user.ts
@@ -3,7 +3,9 @@ import { Document, Schema, Types, model } from "mongoose";
export enum AuthProvider {
EMAIL = "email",
GOOGLE = "google",
- OKTA_SAML = "okta-saml"
+ OKTA_SAML = "okta-saml",
+ AZURE_SAML = "azure-saml",
+ JUMPCLOUD_SAML = "jumpcloud-saml",
}
export interface IUser extends Document {
diff --git a/backend/src/utils/auth.ts b/backend/src/utils/auth.ts
index 4ca60a6222..634769e3b4 100644
--- a/backend/src/utils/auth.ts
+++ b/backend/src/utils/auth.ts
@@ -141,7 +141,17 @@ const initializePassport = async () => {
ssoConfigId: new Types.ObjectId(ssoIdentifier)
});
- const samlConfig = ({
+ interface ISAMLConfig {
+ path: string;
+ callbackURL: string;
+ entryPoint: string;
+ issuer: string;
+ cert: string;
+ audience: string;
+ wantAuthnResponseSigned?: boolean;
+ }
+
+ const samlConfig: ISAMLConfig = ({
path: `/api/v1/sso/saml2/${ssoIdentifier}`,
callbackURL: `${await getSiteURL()}/api/v1/sso/saml2${ssoIdentifier}`,
entryPoint: ssoConfig.entryPoint,
@@ -150,6 +160,10 @@ const initializePassport = async () => {
audience: await getSiteURL()
});
+ if (ssoConfig.authProvider === AuthProvider.JUMPCLOUD_SAML) {
+ samlConfig.wantAuthnResponseSigned = false;
+ }
+
req.ssoConfig = ssoConfig;
done(null, samlConfig);
diff --git a/docs/documentation/platform/sso/azure.mdx b/docs/documentation/platform/sso/azure.mdx
index 9d7e38b965..9169c9f6f5 100644
--- a/docs/documentation/platform/sso/azure.mdx
+++ b/docs/documentation/platform/sso/azure.mdx
@@ -16,7 +16,7 @@ description: "Configure Azure SAML for Infisical SSO"
2. On the next screen, press the **+ Create your own application** button.
- Give the application a unique, Infisical-specific name; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
+ Give the application a unique name like Infisical; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
option and hit the **Create** button.
@@ -74,11 +74,11 @@ Having trouble?, try copying the X509 certificate information from the Federatio
7. Assignments
-Finally, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
+Back in Azure, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
8. Return to Infisical and enable SAML SSO.
Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Azure.
-
+
diff --git a/docs/documentation/platform/sso/jumpcloud.mdx b/docs/documentation/platform/sso/jumpcloud.mdx
index 574489200a..f22d173d48 100644
--- a/docs/documentation/platform/sso/jumpcloud.mdx
+++ b/docs/documentation/platform/sso/jumpcloud.mdx
@@ -3,4 +3,65 @@ title: "JumpCloud SAML"
description: "Configure JumpCloud SAML for Infisical SSO"
---
-Coming soon.
+1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+ Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
+
+
+
+2. In the JumpCloud Admin Portal, navigate to User Authentication > SSO and create an application. If this is your first application, select **Get Started**;
+ if not, select **+Add New Application**
+
+
+
+3. Next, select **Custom SAML App** to open up the **New SSO** dialog.
+
+
+
+4. In the **General Info** tab, give the application a unique name like Infisical.
+
+
+
+5. In the **SSO** tab, set the **SP Entity ID** and **ACS URL** from step 1; set the **IdP Entity ID** to the same value as the **SP Entity ID**.
+
+
+
+6. On the same tab, check the **Sign Assertion** checkbox and fill the **IDP URL** to something unique.
+ Copy the **IDP URL** to use when finishing configuring the JumpCloud SAML in Infisical.
+
+
+
+7. On the same tab, in the **Attributes** section, configure the following map:
+
+- `email -> email`
+- `firstName -> firstname`
+- `lastName -> lastname`
+
+
+
+Finally press activate to create the SAML application.
+
+8. Next, select the newly created SAML application and select **Download certificate** under the **IDP Certificate Valid** dropdown
+
+
+
+9. Back in Infisical, set the **IDP URL** from step 6 and the **IdP Entity ID** from step 5. Also, paste the certificate from the previous step.
+
+
+
+
+ When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
+ CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
+ of the text area respectively.
+
+
+10. Assignments
+
+Back in JumpCloud, navigate to the **User Groups** tab and assign users to the newly created application.
+
+
+
+11. Return to Infisical and enable SAML SSO.
+
+Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via JumpCloud.
+
+
diff --git a/docs/documentation/platform/sso/okta.mdx b/docs/documentation/platform/sso/okta.mdx
index 51eb561edd..36293be145 100644
--- a/docs/documentation/platform/sso/okta.mdx
+++ b/docs/documentation/platform/sso/okta.mdx
@@ -3,10 +3,6 @@ title: "Okta SAML"
description: "Configure Okta SAML 2.0 for Infisical SSO"
---
-Prerequisites:
-
-- Okta Developer Account with access to create custom application integrations.
-
1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
diff --git a/docs/documentation/platform/sso/overview.mdx b/docs/documentation/platform/sso/overview.mdx
index 76f44ba417..9a9afadeff 100644
--- a/docs/documentation/platform/sso/overview.mdx
+++ b/docs/documentation/platform/sso/overview.mdx
@@ -4,9 +4,10 @@ description: "Log in to Infisical via SSO protocols"
---
- Infisical currently only supports SAML SSO authentication with Okta and Azure
- AD. We're expanding support for other IdPs in the coming months, so stay tuned
- with this issue [here](https://github.com/Infisical/infisical/issues/442).
+ Infisical currently has confirmed support for SAML SSO authentication with
+ Okta, Azure AD, and JumpCloud. We're expanding support for other IdPs in the
+ coming months, so stay tuned and feel free to request a IdP at this
+ [issue](https://github.com/Infisical/infisical/issues/442).
You can configure your organization in Infisical to have members authenticate with the platform via protocols like [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0).
@@ -16,3 +17,4 @@ your IdP cannot and will not have access to the decryption key needed to decrypt
- [Okta SAML](/documentation/platform/sso/okta)
- [Azure SAML](/documentation/platform/sso/azure)
+- [JumpCloud SAML](/documentation/platform/sso/jumpcloud)
diff --git a/docs/images/sso/jumpcloud/assignment.png b/docs/images/sso/jumpcloud/assignment.png
new file mode 100644
index 0000000000..65074c89c5
Binary files /dev/null and b/docs/images/sso/jumpcloud/assignment.png differ
diff --git a/docs/images/sso/jumpcloud/attribute-statements.png b/docs/images/sso/jumpcloud/attribute-statements.png
new file mode 100644
index 0000000000..98975f1d83
Binary files /dev/null and b/docs/images/sso/jumpcloud/attribute-statements.png differ
diff --git a/docs/images/sso/jumpcloud/custom-saml-app.png b/docs/images/sso/jumpcloud/custom-saml-app.png
new file mode 100644
index 0000000000..8de5c1675d
Binary files /dev/null and b/docs/images/sso/jumpcloud/custom-saml-app.png differ
diff --git a/docs/images/sso/jumpcloud/download-saml-certificate.png b/docs/images/sso/jumpcloud/download-saml-certificate.png
new file mode 100644
index 0000000000..1903f4f8ba
Binary files /dev/null and b/docs/images/sso/jumpcloud/download-saml-certificate.png differ
diff --git a/docs/images/sso/jumpcloud/edit-basic-config-2.png b/docs/images/sso/jumpcloud/edit-basic-config-2.png
new file mode 100644
index 0000000000..7c700b22be
Binary files /dev/null and b/docs/images/sso/jumpcloud/edit-basic-config-2.png differ
diff --git a/docs/images/sso/jumpcloud/edit-basic-config.png b/docs/images/sso/jumpcloud/edit-basic-config.png
new file mode 100644
index 0000000000..b2fb520a6b
Binary files /dev/null and b/docs/images/sso/jumpcloud/edit-basic-config.png differ
diff --git a/docs/images/sso/jumpcloud/enable-saml.png b/docs/images/sso/jumpcloud/enable-saml.png
new file mode 100644
index 0000000000..7dacfd323f
Binary files /dev/null and b/docs/images/sso/jumpcloud/enable-saml.png differ
diff --git a/docs/images/sso/jumpcloud/general-info.png b/docs/images/sso/jumpcloud/general-info.png
new file mode 100644
index 0000000000..75cac5d6eb
Binary files /dev/null and b/docs/images/sso/jumpcloud/general-info.png differ
diff --git a/docs/images/sso/jumpcloud/idp-values.png b/docs/images/sso/jumpcloud/idp-values.png
new file mode 100644
index 0000000000..252f70a586
Binary files /dev/null and b/docs/images/sso/jumpcloud/idp-values.png differ
diff --git a/docs/images/sso/jumpcloud/init-config.png b/docs/images/sso/jumpcloud/init-config.png
new file mode 100644
index 0000000000..39d7c96d9c
Binary files /dev/null and b/docs/images/sso/jumpcloud/init-config.png differ
diff --git a/docs/images/sso/jumpcloud/new-application.png b/docs/images/sso/jumpcloud/new-application.png
new file mode 100644
index 0000000000..d183f74a4a
Binary files /dev/null and b/docs/images/sso/jumpcloud/new-application.png differ
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx
index 7c694052e7..7b4e65cb71 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgSSOSection.tsx
@@ -15,7 +15,8 @@ import { SSOModal } from "./SSOModal";
const ssoAuthProviderMap: { [key: string]: string } = {
"okta-saml": "Okta SAML",
- "azure-saml": "Azure SAML"
+ "azure-saml": "Azure SAML",
+ "jumpcloud-saml": "JumpCloud SAML"
}
export const OrgSSOSection = (): JSX.Element => {
diff --git a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/SSOModal.tsx b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/SSOModal.tsx
index d811500109..a6655c546a 100644
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/SSOModal.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/SSOModal.tsx
@@ -23,12 +23,14 @@ import { UsePopUpState } from "@app/hooks/usePopUp";
enum AuthProvider {
OKTA_SAML = "okta-saml",
- AZURE_SAML = "azure-saml"
+ AZURE_SAML = "azure-saml",
+ JUMPCLOUD_SAML = "jumpcloud-saml"
}
const ssoAuthProviders = [
{ label: "Okta SAML", value: AuthProvider.OKTA_SAML },
- { label: "Azure SAML", value: AuthProvider.AZURE_SAML }
+ { label: "Azure SAML", value: AuthProvider.AZURE_SAML },
+ { label: "JumpCloud SAML", value: AuthProvider.JUMPCLOUD_SAML }
];
const schema = yup.object({
@@ -144,6 +146,16 @@ export const SSOModal = ({
issuer: "Azure AD Identifier",
issuerPlaceholder: "https://sts.windows.net/xxx/"
});
+ case AuthProvider.JUMPCLOUD_SAML:
+ return ({
+ acsUrl: "ACS URL",
+ entityId: "SP Entity ID",
+ entryPoint: "IDP URL",
+ entryPointPlaceholder: "https://sso.jumpcloud.com/saml2/xxx",
+ issuer: "IdP Entity ID",
+ issuerPlaceholder: "xxx"
+ });
+
default:
return ({
acsUrl: "ACS URL",