Articles in this section

Configure SAML SSO Integration

Callisto (J1 Support Bot)
  • Updated
Follow

Single Sign On is supported via a custom authentication client configured within a JupiterOne account. This feature is available to all enterprise customers upon request. To request SSO integration to be enabled for your account, please open a support ticket or contact your technical account manager.

Supported Features

  • SP-initiated SSO

    Service Provider Initiated (SP-initiated) SSO means when SAML authentication is initiated by the Service Provider (SP). This is triggered when the end user tries to access a resource in JupiterOne or login directly to the JupiterOne account.

  • JIT (Just In Time) Provisioning

    Users are created/updated on the fly using the SAML attributes sent as part of the SAML response coming from the Identity Provider (IdP). The user is created during initial login to JupiterOne and updated during subsequent logins.

IdP-initiated SSO is currently unsupported due to a limitation of Amazon Cognito.

Configuration Steps

  1. Log in to your JupiterOne account -- your user must be a member of the Administrators group.

  2. Go to the Single Sign On setup from the configurations menu.

    sso-menu

  3. Click on Configure.

    configure-sso

  4. In the client configuration screen, copy the following two variables to be used when adding JupiterOne as an application in your SAML IdP account:

  • Single Sign On URL
  • Audience URI (SP Entity ID)
  1. In your IdP Account, add a new SAML Application and name it "JupiterOne".
  • Copy/paste the previous two variable values in the SAML settings.
  • Use the same Single Sign On URL string value for Recipient URL and Destination URL.
  • Leave the Default Relay State blank.
  • Select EmailAddress for Name ID Format.
  • Select Email or Username for Application Username.
  • See next section for details on Attribute Mappings.

  1. Complete setup of the SAML application within your IdP account, and copy the Identity Provider Metadata link.

    In Okta, this link can be found on the Sign On tab of the application, under View Setup Instructions, as shown below:

    okta-idp-metadata

  2. Go back to JupiterOne Auth Client Settings screen, paste the above link to the SAML Metadata Document URL field.

  3. Enter a Client Name, such as "Okta".

  4. Check Authorization code grant and Implicit Grant under "Allowed OAuth Flows".

    allowed-oauth-flows

Save and you are all set. Next time you access your JupiterOne account via the vanity URL (e.g. https://your_company.apps.us.jupiterone.io), you should be redirected to your SAML IdP for authentication.

Attribute Mappings

The following attribute mappings are supported:

  • email: User's email address
  • family_name: User's last name
  • given_name: User's first name
  • name: User's display name
  • group_names: Dynamically assigns user to specified groups within JupiterOne. Use a comma to separate multiple group names (without spaces). Users without group_names mapping are assigned to the Users group within your JupiterOne account by default.

Here's an example of attribute mapping configuration in Okta:

okta-attribute-mappings

We highly recommend adding a custom group attribute to the JupiterOne app profile in your IdP account (e.g. Okta). This is typically added using the Profile Editor for the app. You can name the attribute something like jupiterone_groups.

Below is an example within Okta:

okta-app-profile-editor

You can then use this custom app attribute to assign group memberships to your users based on their IdP group assignments. The actual value for the attribute is typically configured on the group(s) assigned to the app.

Below is an example within Okta:

okta-app-group-assignment

Note that provisioning users with group_names attribute mapping is OPTIONAL. Users without group_names mapping are assigned to the Users group within your JupiterOne account by default.

Removing Users

When you unassign / remove a user from the JupiterOne app within your IdP, the user will no longer be able to log in to your JupiterOne account because the authentication happens with your IdP. However, the user memberships will remain in the Groups. You can manually remove them from the groups within JupiterOne.

remove-user

Current Limitations

IdP-initiated sign on flow is not supported

JupiterOne uses Amazon Cognito service to manage authentication including SSO. Cognito currently does not support IdP-initiated sign on. That is, you will not be able to click on the app icon on your IdP account (e.g. JumpCloud, Okta, OneLogin). Instead, you will need to initiate single sign on by going to your JupiterOne account URL:

https://<your_j1_account_id>.apps.us.jupiterone.io

This will redirect to your configured SSO provider for authentication.

You can find your J1 account id by running the following query:

Find jupiterone_account as a return a.accountId

Workaround

If your SSO provider supports configuring a "Bookmark" app, you can workaround this limitation by doing the following:

  • Hide the app icon to users for the configured JupiterOne SAML SSO app
  • Configure a Bookmark app with your JupiterOne account URL and assigned it to the same users/groups that have been assigned the JupiterOne SAML app

Related articles

Comments

0 comments

Please sign in to leave a comment.