SAML based SSO - Login with Jumpcloud
Organimi has implemented SAML based SSO for Premium account holders … this document will walk you through the steps to set up the integration
Note: Downloadable PDF for this help document is available at the end of the article.
Step 1
Go to your Jumpcloud dashboard, click on SSO Applications on the left side and then click on "Add New Application". In the next step, select Custom Application and click Next. In the next step, click Next again and then select Configure SSO with SAML and then click Next.
Step 2
Under General Info, enter Display Label as “Organimi”, upload Organimi’s logo and click Save Application (you can download the Organimi logo at: Organimi_LogoOnly.png)
Step 3
Click on Configure Application and enter the following information
- IdP Entity ID: YOUR-COMPANY-ALIAS
- Audience URI (SP ENtity ID): https://app.organimi.com
- Only for EU customers - https://eu.app.organimi.com
- Only for AU customers - https://au.app.organimi.com
- Single sign-on URL: https://app.organimi.com/api/v7/auth/login/saml/callback
- Default Relay State: {"company":"YOUR-COMPANY-ALIAS"}
- Note: Replace the placeholder with your company name. This name will also be required later. And anyone who wishes to login using this IDP, will be asked to enter this name when signing in.
- Name ID format: EmailAddress
(Note: Please ensure all the values are mapped correctly as per the screenshots)
In order for a user to log into Organimi, we require the following three attributes of the user from Jumpcloud. Configure them under “Attribute Statements (optional)”. The name should be all lowercase, and the value should be matched accordingly.
- firstname
- lastname
Once all configured, click activate at the bottom.
On the “Confirmation” dialog, you can simply click “Continue”.
Step 4
Now that the Organimi App is set up at the Jumpcloud side, we now have to configure this IDP in Organimi.
Select the checkbox for the Organimi app in Jumpcloud and click on “Export Metadata”. You will be using the downloaded file in the following steps.
Step 5
Visit https://app.organimi.com (for EU customers - https://eu.app.organimi.com and for AU customers - https://au.app.organimi.com), login to your account using any social login, or username/password. Click “My Account” and select the “SSO Settings” tab.
Note: if you don’t see the “SSO Settings” tab? Contact Organimi to have SSO enabled for your account (Premium account required)
Step 6
Click on the “Configure IDP” button and enter:
- Company Alias: Enter your company name. It should match exactly with the name entered for step 3.4
- IDP Metadata: Copy and paste the XML downloaded in step 4 in to the “drop area” as highlighted below (click in the gray box and then paste)
- Click the SAVE button
Step 7
Your Identity Provider should show the Jumpcloud Entity ID that you just set up, which means IDP configuration is accepted.
Note: If you do not reach to this point and see an error message on clicking the “SAVE” button, Contact Organimi support @ support@organimi.com
Now it's time to test logging in with your configured IDP. First logout from your account. Then login by clicking “Sign in with SSO”. In the next screen, type in the company name matching from step 3.4 & 6.1 and then click login.
You should be redirected to your Jumpcloud IDP where you can get authenticated. Once successful, you will be redirected back to Organimi and will be logged in.
And you are in. If you click the Change Account link on the Organimi screen you will see that you are logged in with SAML SSO
Step 8
You can also enable “Force-SSO” from the configuration tab. Which will require everyone using this account (including you), to login using your configured IDP only, in order to access resources under this account. Other login methods (social & username/password) will not be allowed access to the account.
Note: As the account owner, It's recommended that you test logging in with your IDP first before turning on this setting, as you will not be able to access the account via any other login methods after you enable the “Force-SSO” option.
If you were logged into Organimi with you SSO IDP Account then you will just see that the switch is now on for “Force SSO”
If, however, you were logged in to Organimi with your social login or username/password your access to the account will be immediately disabled and you will be taken to the Account Selection Screen and you will see that your access to the account is locked. You could disable the “Force SSO” (only available to account owners) … but normally you would just logout from Organimi and log back in from your SSO IDP Account.
Default share settings for IDP’s:
Alternatively users can be invited from the charts as editors or viewers by enabling default sharing settings for SSO IDP. This will not send any email invites to these users. They can login directly using the shared idp. These permissions can be changed, as needed.
SSO Login does not imply chart will remove the access
SSO login can view this chart will assign viewer permissions to the users logging in the SSO IDP
SSO login can edit this chart will enable Editor permissions to the users logging in with the SSO IDP
Please Note …
If default sharing is not enabled as described above … in addition to provisioning the application to users in Jumpcloud you will also need to invite users to one or your Organizations or Charts or in Organimi … if the user has not been invited and granted access to any Organizations or Charts in Organimi they will be greeted with a message telling them they do not have access to any accounts in Organimi … if this happens then simply invite them to the Organization as an Admin or to one of the Charts as an Editor or Viewer or enable default sharing.
Thank you for being an Organimi customer and please contact us at support@organimi.com if you run into any issues or have any questions that are not covered in this document or are beyond the scope of this document.
Comments
0 comments
Please sign in to leave a comment.