This guide demonstrates the step-by-step process for creating a new application in JumpCloud, capable of communicating via SAML 2.0 with Axur Platform services. In this guide, we will cover all the necessary configurations to ensure that Single Sign-On (SSO) works correctly and as expected.
Table of Contents
Before You Start
Ensure you have an Administrator account in JumpCloud and can access it without issues.
When performing the configurations, make sure that the data you will copy or type in the indicated locations is correct. Incorrect data entry can cause problems later when we test our application.
Groups, users, and assignments
In all Axur Platform SSO application creation tutorials, there is the concept of users and groups. After all, the provider is where all your user information will be stored, in addition to the groups to which they belong (creating groups via the provider is optional). In this sense, this section is dedicated to teaching how to create groups and users in JumpCloud, as well as assigning users to groups.
Creating a group (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
To start things off, notice that the following groups are accepted by the Axur Platform, alongside the description for each group:
Group Name | Group description |
Axur Viewer | Users in this group will have access to the Axur Platform, with the ability to view all ticket, result, and invoice information, but cannot perform any actions. |
Axur Analyst | Users in this group will have access to the Axur Platform and, in addition to viewing all information, can perform non-billable actions (all except Takedown requests). |
Axur Expert | Users in this group will have access to the Axur Platform and, in addition to performing non-billable actions, can also request Takedowns. |
Axur Manager | Users in this group will have access to the Axur Platform and can perform all actions (non-billable and billable) and also view activities performed by their users in the Axur Platform. |
Axur-Custom | Users in this group have a personalized set of capabilities. When they are created, the manager can decide what their capabilities will be. |
You DON’T need to create all of the groups, just the ones that make more sense for your usecase. With that said, you can create a group and fill in its basic information:
Before finishing this process, we will need to do one more thing. The Axur Platform expects group names to be in the following format:
Group | Desired value |
Axur Viewer |
|
Axur Analyst |
|
Axur Expert |
|
Axur Manager |
|
Axur Custom |
|
In JumpCloud, you can create the new group with the name that you want (in the example image, the name is Axur demo - One Manager). To make things right and allow the Axur Platform to correctly receive the Desired value from the table, scroll down in the group creation page you are on, and find the section Custom attributes. In there, do something similar to the image:
The name of the property (one-perm in this case), can be anything. Just make sure this name is used on all the groups you wish to create for the Axur Platform SAML App. The value of the property (the on on the right side) must match the desired values in the table above. This setup ensures that the attribute one-perm will map to a name that is recognizable by the Axur Platform. You can finish the group creation process now.
Creating a user
To create a user, follow the step-by-step instructions in the images:
There are multiple ways of creating a user on JumpCloud. We are showing the simplest one just for the sake of completeness of the tutorial. However you decide to create users, make sure these three fields are filled so that the Axur Platform integration can work correctly:
First name
Last name
Email
Assigning a group to a user (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
To assign a user to a group you created, follow the step-by-step instructions in the images:
Creating a new application
Follow the step-by-step instructions in the images below to create the new SAML application providing data for the Axur Platform:
After creating your application, access the SSO tab, where all our SSO configurations will be made. You will need to fill the IdP Entity ID field with your desired value. This is the format we recommend:
https://sso.jumpcloud.com/saml2/<IDENTIFICATION>
Where <IDENTIFICATION> could be something like my-company. We will stay in this page for now to create other configurations, so proceed.
Sending Axur Platform data to JumpCloud
JumpCloud needs to know who it will be communicating with for the SSO process to work smoothly. Click on the following link to download Axur Platform’s metadata file. Save it somewhere on your machine where you can easily find it, then click on the button highlighted in the image:
https://api.axur.com/gateway/1.0/saml-proxy/saml/metadata
After uploading the file, the necessary Service Provider (SP) info will already be filled. Just make sure the following fields were filled, and contain these values:
Field | Value |
ACS URL |
|
SP Entity ID |
|
Some other fields may also be filled. You don’t need to do anything if you uploaded the file correctly. Just move on to the next section.
Mapping user attributes
By using JumpCloud as our provider, we are leveraging the credentials that are already stored and managed by JumpCloud, and these credentials are stored in the format defined by the provider. However, to communicate with the Axur Platform using SAML, it’s necessary that user data is sent in a standardized way. Think of it this way: We need to ensure that the Axur Platform always receives the user’s email attribute in the same format regardless of whether this data comes from JumpCloud or any other provider. Different providers store their data in different ways, and mappings solve this problem!
Also on the SSO tab, use the step-by-step instructions in the images to add user attribute mappings in your JumpCloud application.
The values you will need to fill in are here:
App Attribute | JumpCloud Attribute |
| firstname |
| lastname |
|
Just keep clicking the Add Attribute button to reach the desired state, like the image below:
Mapping user groups (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
Just like user attributes, we also have groups, which bring users together according to some specific criteria. These groups are created by the administrator in JumpCloud and, as explained in the previous section, a mapping is needed so that this data is transmitted to the Axur Platform in a standardized way, regardless of the provider.
In this section, the focus is on taking each of the groups you created in the Groups, users, and assignments section and telling JumpCloud how these group names should be mapped when sending to the Axur Platform.
Still on the SSO tab, under the Attributes section, add another attribute that contains the following key-value pair (in the right side, you will need to choose the option Custom attribute, that allows you to type the name of the attribute we created on the Creating a group (Optional) section):
App Attribute | JumpCloud Attribute |
| one-perm |
Remember, one-perm is the value of the custom attribute we’ve defined when creating the group. That will resolve to one of the desired group names from the last table in the Creating a group (Optional) section. Make sure you use the correct attribute name.
Obtaining JumpCloud provider data
Since we are using JumpCloud as our identity provider, it is necessary to obtain some information that can tell the Axur Platform who it will be communicating with and whether its information is secure and reliable.
When you finish the setup of your SSO application, access its main page, and you will see two options to obtain JumpCloud’s data:
You can either download the file, or copy a URL that references the same content. Make sure you keep this information, since we’re going to use it on the platform configuration.
Assigning groups/users to the application
Now all that remains is to assign users or groups to the new application you created. You can access your groups in the User Groups section. Then select the groups you want to assign to the app, and click on the Save button.
If you decided to skip all the sections related to group creation, just search for a specific user (or users) you want to add, and check the box next to their name. After saving, this will ensure they can access the application.
Some common errors
The Service Provider (SP) information (Axur Platform in this case). Verify the data from the corresponding section and ensure they are the same.
The Identity Provider (IdP) information (JumpCloud in this case). Verify that the file you downloaded here is not altered.
The application access information. Verify the assignments of groups or direct users.
Specific errors
Error | Description | How to Resolve |
Non Authorized IdP or expired IdP login | Unauthorized IdP or expired session | Check the Federation Metadata and the IdP. |
Missing value for string parameter [email claim] | Missing or empty email claim | Make sure the email attribute is correctly configured in the IdP. |
Redirection error | Incorrect endpoint URL in the IdP | Check whether the endpoints are correctly configured. |
Local entity is not the intended audience of the assertion in at least one AudienceRestriction | The assertion was not intended for the SP | Check if the |
Authentication statement is too old to be used with value {date} | The authentication statement has expired | The IdP session duration exceeds 7 days. Contact support to adjust it. |
Validation of protocol message signature failed | The signature of the SAML message is invalid | Verify that the Federation Metadata was correctly provided. |
This concludes the necessary configurations in the JumpCloud provider. Return to the configuration guide on the platform to finalize the creation of your application.
If you have any questions, feel free to reach out at [email protected] 😊