Using JumpCloud as your Identity Provider (IdP)
- 28 May 2025
- 4 Minutes To Read
- Print
- DarkLight
- PDF
Using JumpCloud as your Identity Provider (IdP)
- Updated On 28 May 2025
- 4 Minutes To Read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This guide will walk you through the steps to set up Single Sign-On (SSO) with SAML 2 authentication in Mambu, using JumpCloud as your Identity Provider (IdP).
Prerequisites
- Administrator access to both Mambu and JumpCloud
- Understanding of SAML 2.0 concepts
- Roles Defined In Mambu
- JumpCloud Groups Defined
- Custom Attribute defined for groups to map RoleID
Step 1: Configure JumpCloud as the IdP
- Log in to the JumpCloud Admin Portal.
- Navigate to User Authentication > SSO Applications.
- Click + Add New Application.
- Enter the name of the application in the Search field (e.g. Mambu) and select it.
- Click Next.
- In the Display Label, type your name for the application.
- Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or show the application in the User Portal. (e.g., "Mambu Sandbox/Prod SSO").
- In the IdP Entity ID field, enter a unique identifier for JumpCloud (e.g.,
jumpcloud-mambu-sso). - In the SP Entity ID field, you'll need to enter Mambu's SAML URL depending which one you are setting up:
- Production: https://<tenant>.mambu.com/saml/login
- Sandbox: https://<tenant>.sandbox.mambu.com/saml/login
- In the Display Label, type your name for the application.
- Click Save Application.
- Click Configure Application.
- Select the SSO tab.
- Configure the ACS URL (Assertion Consumer Service URL):
- Production: https://<tenant>.mambu.com/saml/login
- Sandbox: https://<tenant>.sandbox.mambu.com/saml/login - Save the IdP URL; you will need this for the Mambu configuration.
- Ensure the Attributes are mapped. These are case sensitive.
- RoleID represents the Role Name in Mambu. If your user groups match the
RoleNameof Mambu, in the User Attributes you can setRoleIDto the JumpCloud user attributememberOf. For more information see this page. - Alternatively, you could add a custom attribute in each user group with the value of the Role Name in Mambu.
- Using the custom attribute your SSO Attributes should look like this:
- Save the configuration.
- Download the IdP Certificate from JumpCloud. You will need this for the Mambu configuration.
Step 2: Configure Mambu as the Service Provider (SP)
- Log in to your Mambu instance with administrator privileges.
- Navigate to Administration > Access > Federated Authentication.
- Select the option to Enable SSO authentication.
- Enter a Display Name (e.g., "JumpCloud SSO")
- In the Single Sign-On Endpoint, enter the following URL with the application name you specified in Step 1.4:
https://sso.jumpcloud.com/saml2/\<applicationname\>. - Obtain the fingerprint of the identity provider (IdP) certificate, which is required by Mambu.
- Run the following command in a terminal and replace <filelocation>/certificate.pem with your certificate's location and name downloaded from step 1.15:
openssl x509 -sha256 -in /\<filelocation\>/certificate.pem -noout -fingerprint- Enter the value in the Certificate Fingerprint field.
- In the Issuer ID field enter the value of the IdP Entity ID specified in Step 1.5.b.
- In the ACS URL field, enter the Mambu tenant URL used in Step 1.5.c:
- Production: https://<tenant>.mambu.com/saml/login
- Sandbox: https://<tenant>.sandbox.mambu.com/saml/login
- Click Test Configuration.
- This will validate communication back to JumpCloud and validate the certificate and URLs.
- If successful, click Save.
- Although you may get a message that this is irreversible, you can still disable Federated Authentication in Mambu if needed.
Step 3: Assign users to branches
To assign users to specific branches using Federated Authentication, branch assignment must be done through the IdP. This requires attribute mapping. Add the user attribute BranchID to JumpCloud's SAML configuration. The value at user or group level must match the ID for the branch defined in Mambu.
For more information, please refer to the supporting documentation.
Step 4: Test the SSO connection
- In another browser or using incognito mode, open the Mambu URL and click the Login with JumpCloud SSO link below the password field to initiate a test SSO login.
- You will be redirected to JumpCloud for authentication.
- After being successfully authenticated in JumpCloud, you will be redirected back to Mambu and logged in.
- Verify that user access and roles are correctly mapped at the Administration > Access > Users view.
Step 5: Optional Single Log Out (SLO)
Some IdPs support Single Log Out functionality where, when a user logs out of one system, the IDP logs them out of all integrated systems. At the time of this writing JumpCloud did not support SLO.
Please check with JumpCloud support if Single Log Out is supported.
For more information on SLO from Mambu, refer to the support documentation.
Troubleshooting
| Issue | Solution |
|---|---|
| Login fails | Verify that the IDP and SP Entity IDs, ACS URLs, and certificates are correctly configured in both JumpCloud and Mambu. |
| Login Fails "Email already in use" | A user is already defined in Mambu with the email address of the person attempting to login. Ensure that each user has a unique email address. If a user was created prior to enabling SSO, edit the username in Mambu to match that of JumpCloud. |
| Incorrect user roles | Ensure that user attributes are correctly mapped between JumpCloud and Mambu. The mapped values should be the Role Name and not the Role ID. |
| Certificate errors | Check that the correct certificate is uploaded and that it is not expired. |
| Session timeouts differ | The session expirations times for Mambu and your IdP are independent from one another. Once you log into Mambu, the system will only take into account your Mambu session expiration time. |
Was this article helpful?
