Configure Dome9 SSO with JumpCloud

In this topic:

    Based on JumpCloud documentation

    Single Sign On (SSO) with JumpCloud

    PREREQUISITES: In order to successfully complete the integration between JumpCloud and Dome9, you must use an owner account in Dome9.

    CONFIGURATION NOTES:

    Note 1: Dome9 does not support automatic new user provisioning via SSO. Prior to attempting SSO, all users must have a Dome9 account that uses the same email as their JumpCloud account.

    Note 2: To prevent account lockout, Dome9 does not allow the account owner to use single sign on.

    Note 3: We assume the JumpCloud administrator performing the integrations will understand the process of generating private keys in addition to public certificates. As an example for generating signed certificates on Linux, see below. Please refer to other guidance for generating keys on other operating systems.

    • Create a private key opensslgenrsa -out private.pem 2048

    • Creating a public certificate for that private key: opensslreq -new -x509 -key private.pem -out cert.pem -days 1095

    To restrict access to a smaller group of users:

    1. Note the IdP URL name for this app in the Application details, e.g. https://sso.jumpcloud.com/saml2/ConnectorName

    2. Create a new Tag and name it SSO-ConnectorName. Important: This tag is case sensitive.

    3. Add users to this Tag who should be given access to Dome9 via Single Sign-On. Any other users who are not in this tag will be denied access.

    IMPORTANT: If the Tag does not exist, all users in your organization will be authorized to access Dome9.

    Step 1 of 2: Configure Dome9 for JumpCloud SSO

    1. Log in to Dome9 as an account owner

    2. Scroll over your email in the upper right corner and select Account Settings from the drop-down menu

    3. Click on the SSO tab

    4. Click Enable

    5. In the Account ID field, enter a unique value (no spaces) that will be used to identify your company's SSO configuration with Dome9 (your company name is a good value to use here) and copy this value

    6. In the Issuer field, enter https://YOURDOMAIN.com (replace YOURDOMAIN with your company's unique domain)

    7. In the Idp Endpoint Url field, enter https://sso.jumpcloud.com/saml2/dome9

    8. In the X.509 Certificate field, paste your entire public certificate (see Note 3 above)

    9. Click Save

    10. Click Users & Roles in the upper or side menu

    11. Create a new user to test your configuration by clicking + ADD USER

    12. Fill in the necessary fields to create the user and ensure that SSO User is toggled to On

    13. Click Create

    14. To enable a pre-existing user to sign in via SSO, click Actions for that user and select Connect to SSO from the drop-down menu

    Step 2 of 2: Configure JumpCloud SSO for Dome9

    1. Log into the JumpCloud Admin UI at https://console.jumpcloud.com

    2. Click on the Applications link in the sidenav

    3. Click on the green + icon in the upper left corner and find Dome9 in the list

    4. Click configure

    5. In the IdP Entity ID field, enter https://YOURDOMAIN.com (this should be the same value that you entered in the Issuer field in Dome9)

    6. Click Upload Private Key and upload your private key (see Note 3 above)

    7. Click Upload IdP Certificate and upload your public certificate (see Note 3 above)

    8. In the ACS URL field, enter https://secure.dome9.com/sso/saml/ACCOUNT_ID (replace ACCOUNT_ID with the value that you entered in the Account ID field in Dome9)

    9. Click Activate

    To test your single sign-on configuration:

    (IdP-Initiated Flow)

    • Log into the JumpCloud User Console with the email you used to create a test user in Dome9 (or another email used by a Dome9 account that does not have owner privileges, see Note 2 above)

    • Click on the Dome9 icon

    • You should automatically be logged in to Dome9

    (SP-Initiated Flow)

    • In your Web browser, navigate to https://secure.dome9.com/sso/ACCOUNT_ID

    • If necessary, log into the JumpCloud User Console as the appropriate user (see _Note 2 above)

    • You should automatically be logged in to Dome9