Deprecated - SAML 2.0 Setup for JumpCloud
Warning: The options to set up single sign-on (SSO) have changed. Organizations that use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31. This archived guidance for the now-obsolete configuration process will remain available to manage existing connections until the Oct. 31 deadline and will then be removed. For updated guidance to create or migrate SSO connections, see Single Sign-on Setup.
To enable members to sign in to their Blackbaud IDs with their managed JumpCloud account credentials, set up a custom Security Assertion Markup Language (SAML) 2.0 app in your JumpCloud administrative console, and configure its connection on the Authentication settings page in Security.
Warning: To help prevent an inadvertent lockout, ensure you have another Blackbaud ID outside of your claimed domains with access to the Authentication settings page.
-
In Security, select Authentication and then select Manage SSO settings under Single sign-on.
-
In a separate browser tab, sign in to your JumpCloud administrator console with an administrator account.
-
In your JumpCloud administrative console:
-
Select Applications, Add (+).
-
Under Configure new application, search for SAML, and select configure.
-
In the IDP entity ID field, enter a unique name to help identify the application.
-
Generate and upload the IdP private key and certificate pair. For more information, see JumpCloud SAML Configuration Notes.
-
In the SAMLSubject NameID field, enter username.
-
In the SAMLSubject NameID format field, enter urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified.
-
Under User attributes, add attributes with both names and values of:
-
username
-
email
-
firstname
-
lastname
-
-
In the IDP URL field, append a unique name to the URL to set where Blackbaud ID will send SAML requests and users will authenticate.
-
In the Display name field, enter a label — such as Blackbaud ID — to help users identify the connection.
-
-
On the Authentication settings page in Security:
-
Under Single sign-on, select Use SAML 2.0.
-
Under Configure your connection, select Get started or Edit connection details.
-
In the Organization display name field, enter how your organization's name should appear to your members when they sign in.
-
In the SAML sign-in URL field, enter the full IdP URL from your JumpCloud administrative console.
-
With a bookmark app, users can sign in to their Blackbaud solution directly from your IdP. To set up a bookmark app, in the IdP-initiated SSO URL field, enter the URL for your Blackbaud solution.
Tip: Your IdP-initiated SSO URL must use a Blackbaud ID-supported domain, such as blackbaud.com. For more information, see Redirect Settings.
-
Under Signing certificate, select Choose file, and then browse to and select the IdP certificate uploaded to your JumpCloud administrative console.
-
Enter the user attributes JumpCloud uses to permanently identify member details:
-
In the NameID field, enter username.
-
In the Email address field, enter email.
-
In the First name field, enter firstname.
-
In the Last name field, enter lastname.
Warning: Your IdP may require different JumpCloud attributes. If your connection is unsuccessful, consult your IdP to determine which attributes you should use to identify member details.
-
-
Select Save.
-
-
On the Authentication settings page:
-
Under Single sign-on, select Continue under Configure your IdP.
-
Under the assertion consumer service (ACS) URL, select copy to clipboard.
-
-
In your JumpCloud administrative console, paste the URL in the ACS URL field.
-
On the Authentication settings page, select copy to clipboard under the entity ID.
-
In your JumpCloud administrative console:
-
In the SP entity ID field, paste the entity ID from Authentication services.
-
Select Activate.
-
-
On the Authentication settings page, select Save.
-
In your JumpCloud administrative console, add the app to a group:
-
Select Groups, and then choose the group to sign in with their Blackbaud IDs.
Tip: To ensure you can test the connection, verify you're a member of the selected group.
-
Under Applications, select the new SAML application.
-
Select save group.
-
To properly recognize and redirect members to JumpCloud when they sign in, identify which email domains your organization uses. For more information, see Claimed Email Domains.
After you set up your connection and claim your email domains, test the connection to verify your organization can now use JumpCloud to sign in to Blackbaud solutions. For more information, see Test Mode.
After you set up your connection, you can turn on SSO. When you turn on SSO, anyone who signs in to their Blackbaud ID with one of your claimed domains is redirected to your organization's JumpCloud login. After they authenticate with their managed JumpCloud account credentials, their Blackbaud ID:
-
Automatically redirects to your organization's JumpCloud login for future sign-ins
Tip: By default, members redirect to their Blackbaud ID profile when they sign in through your JumpCloud login. To instead open a different Blackbaud solution, edit the redirect. For more information, see Redirect Settings.
-
Uses your JumpCloud administrative console for password updates, lockouts, and similar authentication management
To complete the connection to JumpCloud, select Learn about connecting SSO and Connect with SAML.
Note: After you enable SSO, resend any pending invitations sent before the connection to JumpCloud.