Cloud access management has become increasingly important for businesses of all sizes, as an increasing number of employees work remotely and rely on cloud-based tools to stay connected and productive. Azure AD is the most popular solution, but more companies are also looking at solutions like JumpCloud for managing cloud access. In this article, we will explore how easy it is to integrate Awingu and JumpCloud by using the custom SAML app.
Step 1: Create Awingu in JumpCloud via the Custom SAML App
The first step in integrating Awingu and JumpCloud is to create a custom SAML app in JumpCloud. SAML (Security Assertion Markup Language) is a protocol used for single sign-on (SSO) authentication, which allows users to log in to multiple applications with a single set of credentials. Awingu supports SAML 2.0, which means that it can be integrated with JumpCloud using SAML.
To create a custom SAML app in JumpCloud, follow these steps:
1. Log in to your JumpCloud admin console and navigate to Applications.
2. Click the “+ Add New Application” button and select the “Custom SAML App”
3. Enter a name for the app (e.g., Awingu) and on the SSO page set following parameters:
As Awingu only supports Service Provider initiated authentication, the following settings are also mandatory:
The last step is to create two attributes that can be passed on as claims to Awingu. The first one needs to correspond with the UPN of the user in Awingu’s local AD, and the second one will be used as the user display name in the Awingu user interface.
In this example, the UPN matches the email address of the user. If this is the case, you can also create a custom attribute for the user and pass this custom attribute to Awingu:
4. Before saving the application, make sure you assign the right group of users to this application and click “Save” to finish the creation of the SAML app in JumpCloud.
5. Once the app is created, select the app in the list of applications and download the XML metadata file by clicking on the “Export Metadata” button.
Once this is done, you are ready to configure the Awingu side.
Step 2: Enable Federation on Awingu
The second step in integrating Awingu and JumpCloud is to enable federation on Awingu. Federation is the process of establishing trust between two identity providers (in this case, JumpCloud and Awingu) so that users can log in to Awingu using their JumpCloud credentials.
Before you start the Awingu configuration part, make sure you know the username and password of the built-in management user. This is the user account that was created during the initial installation of Awingu. If you have activated pre-authentication or single sign-on within Awingu and you have a problem with the configuration, this is the only account that still allows you to login. All other (admin) users will no longer work as they will be forced to go over to the IdP, JumpCloud in this case.
To enable federation on Awingu, follow these steps:
- Log in to your Awingu appliance with an admin user and open the system settings.
- Go to “Configure” -> “User Connector” -> “Federated Authentication” and set the Type to “Pre-authentication” and the Protocol to SAML”.
- Set the Entity ID to “Awingu” and upload the Metadata XML file downloaded earlier onto the Awingu appliance after switching the Metadata Type from “URL” to “XML”.
- Set the Username & Display Name claim to the same names as set on the Jumpcloud side, in this example “username” and “displayname”.
- Set the Workspace URL to your public Awingu DNS name.
- Click Apply.
Once this is done, test your configuration by opening an incognito web browser window and go to your Awingu URL. If all is correct, you will be redirected to JumpCloud. After a successful login to JumpCloud, you will be redirected to Awingu, and Awingu will ask you to type in your password. This will be your local Windows AD password. No need to panic, this is normal behavior as we only have activated so far in the “pre-authentication” and not yet the full single sign-on.
In case something goes wrong, and the pre-authentication is not working you can still login to the Awingu appliance with the built-in management user. To do this, open a new incognito window and go to https://your.awingu.url/login?noPreAuth (be careful, this is case sensitive). This will allow you to login and make modifications to the configuration.
Step 3: Go full Single Sign-On in Awingu
Once you have a working pre-authentication and know the integration with JumpCloud is done correctly, you can go to the last step, which is switching the Federation Authentication type from “Pre-Authentication” to “Single sign-on”.
This last step is independent from the IdP that is used (JumpCloud in this case) and will remove that popup for the local AD Windows password. You’ll need to make Awingu a sub-CA of your Active Directory. By doing so, Awingu can generate user certificates and then via Kerberos and other standard Windows protocols, Awingu can let the user login to the applications and drives without the need of a Windows password or without the need to install any Awingu software onto the Windows environment.
Have a look at this video: https://youtu.be/8343EIAVHns or to the admin guide to learn more about how to generate those certificates. Be careful, because certificates and Kerberos are sensitive to DNS and other details. Follow the instructions to the letter to make it work.
Once you have uploaded the certificates to your appliance, your users can log in to Awingu with their JumpCloud credentials. This means that you can manage cloud access for your entire organization using a single platform (JumpCloud), while still providing your users with a seamless login experience.