Configure CloudGuard SSO with JumpCloud


Based on JumpCloud documentation

Single Sign-On (SSO) with JumpCloud

Prerequisites

To successfully complete the integration between JumpCloud and CloudGuard, you must use an owner account in CloudGuard.

Notes:

  1. CloudGuard does not support automatic new user provisioning via SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.. Prior to attempting SSO, all users must have a CloudGuard account that uses the same email as their JumpCloud account.

  2. To prevent account lockout, CloudGuard does not allow the account owner to use single sign-on.

  3. This instruction assumes that the JumpCloud administrator that performs the integrations understands the process of generating private keys in addition to public certificates. See below the generation of signed certificates on Linux as an example. For generation of keys on other operating systems, refer to these operating systems documentation.

    • Create a private key opensslgenrsa -out private.pem 2048

    • Create a public certificate for that private key:

      opensslreq -new -x509 -key private.pem -out cert.pem -days 1095

To restrict access to a smaller group of users:

  1. Notice the IdP URL name for this app in the Application details, for example, https://sso.jumpcloud.com/saml2/ ConnectorName.

  2. Create a new Tag and name it SSO-ConnectorName. Important: This tag name is case sensitive.

  3. Add users to this Tag who should be given access to CloudGuard via Single Sign-On. Any other users who are not in this tag will be denied access.

    Important - If the Tag does not exist, all users in your organization will be authorized to access CloudGuard.

  1. Log in to CloudGuard with a super user account.

  2. Navigate to Settings > Security & Authentication.

  3. In the SSO section, select Enabled.

  4. In the Account ID field, enter a unique value (no spaces) that is later used to identify your company's SSO configuration with CloudGuard (your company name is a good value to use here) and copy this value.

  5. In the Issuer field, enter https://YOURDOMAIN.com (replace YOURDOMAIN with your company's unique domain).

  6. In the Idp Endpoint Url field, enter https://sso.jumpcloud.com/saml2/dome9.

  7. In the X.509 Certificate field, paste your entire public certificate (see Note 3 above).

  8. Click Save.

  9. Create a test user to test your configuration as appears in Adding a New User in the Dome9 Portal.

  10. Fill in the necessary fields to create the user and ensure that SSO User is toggled to On.

  11. To enable a pre-existing user to sign in via SSO, see Connecting a user to SSO for Dome9 accounts.

  1. Log into the JumpCloud Admin console at https://console.jumpcloud.com.

  2. Click Applications in navigation pane on the left.

  3. Click the green + icon in the upper left corner and find CloudGuard in the list.

  4. Click Configure.

  5. In the IdP Entity ID field, enter https://YOURDOMAIN.com/(this should be the same value that you entered in the Issuer field in CloudGuard, with "/" at the end).

  6. Click Upload Private Key and upload your private key (see Note 3 above).

  7. Click Upload IdP Certificate and upload your public certificate (see Note 3 above).

  8. In the ACS URL field, enter https://secure.dome9.com/sso/saml/ACCOUNT_ID (replace ACCOUNT_ID with the value that you entered in the Account ID field in CloudGuard).

  9. Click Activate.

Test the SSO Configuration

  1. Log into the JumpCloud User Console with the email you used to create a test user in CloudGuard (or another email used by a CloudGuard account that does not have owner privileges, see Note 2 above).

  2. Click the CloudGuard icon.

  3. You should automatically be logged in to CloudGuard.

  1. In your Web browser, navigate to https://secure.dome9.com/sso/ACCOUNT_ID.

  2. If necessary, log into the JumpCloud User Console as the appropriate user (see Note 2 above).

  3. Now you automatically log in to CloudGuard.