Skip to main content
Version: Next

JumpCloud SSO Setup

This guide walks through configuring SAML 2.0 single sign-on between JumpCloud and SyVault. You will need JumpCloud admin access and SyVault Owner or Admin privileges.

Prerequisites

  • SyVault organization on a Business or Enterprise plan
  • JumpCloud admin account with permission to create SSO applications
  • Your SyVault organization slug (found in Admin Console > Settings)

Step 1: Create a Custom SAML Application in JumpCloud

  1. Log in to the JumpCloud Admin Portal at console.jumpcloud.com.
  2. Navigate to SSO Applications in the left sidebar.
  3. Click + Add New Application.
  4. Select Custom SAML App from the application list.
  5. Enter SyVault as the Display Label.
  6. Optionally upload the SyVault logo.
  7. Click Activate to proceed to configuration.

Step 2: Configure SAML Settings

In the SSO tab of the new application, enter the following values:

FieldValue
IdP Entity IDLeave as the JumpCloud default (auto-generated)
SP Entity IDsyvault:<your-org-slug> (e.g., syvault:acme-corp)
ACS URLhttps://api.syvault.com/api/auth/saml/acs
SAMLSubject NameIDemail
SAMLSubject NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Signature AlgorithmRSA-SHA256
Sign AssertionChecked
Default RelayStateLeave blank
Login URLhttps://vault.syvault.com/login?sso=<your-org-slug>
tip

The SP Entity ID must be exactly syvault:<your-org-slug> with no trailing slashes or spaces. A mismatched Entity ID is the most common cause of SSO configuration failures.

Step 3: Configure Attribute Mapping

Scroll to the User Attribute Mapping section and add the following attributes:

Service Provider Attribute NameJumpCloud Attribute Name
emailemail
firstNamefirstname
lastNamelastname

These attributes are sent in the SAML assertion and used by SyVault to identify and provision the user session.

Step 4: Download IdP Metadata

  1. Still on the SSO tab, scroll to the JumpCloud Metadata section.
  2. Click Export Metadata to download the IdP metadata XML file.
  3. Save this file -- you will upload it to SyVault in the next step.

Alternatively, copy the IDP URL which serves the metadata dynamically.

Step 5: Configure SyVault

  1. Open the SyVault Admin Console > SSO & SCIM > SAML SSO.
  2. Paste the IDP URL or upload the downloaded metadata XML file.
  3. SyVault will automatically extract:
    • IdP SSO URL
    • IdP Issuer / Entity ID
    • X.509 signing certificate
  4. Verify the extracted values look correct.
  5. Click Save Configuration.

Step 6: Assign Users and Groups

Back in the JumpCloud Admin Portal:

  1. In the SyVault application, click the User Groups tab.
  2. Select the user groups that should have SSO access to SyVault.
  3. Alternatively, click the Users tab to assign individual users.
  4. Click Save.
warning

Only users who are also members of your SyVault organization can complete SSO login. Assigning a user in JumpCloud who has not been invited to SyVault will result in a login error. Use SCIM provisioning to automate member creation when users are assigned in JumpCloud.

Step 7: Test SSO Login

  1. In the SyVault Admin Console, click Test Connection. This opens a new browser window, sends a SAML AuthnRequest to JumpCloud, and verifies the response.
  2. If the test succeeds, you will see a green confirmation message with the authenticated email address.
  3. For a full end-to-end test: open a private/incognito browser window, go to the SyVault login page, click Login with SSO, enter your organization slug, and authenticate through JumpCloud.
  4. After successful authentication, you will be redirected back to SyVault and prompted for your master password.

Troubleshooting

SymptomLikely CauseFix
"Invalid audience" errorSP Entity ID mismatchVerify the SP Entity ID in JumpCloud matches syvault:<org-slug> exactly
"Signature validation failed"Certificate mismatch or rotationRe-download the IdP metadata and re-upload to SyVault
"User not found" errorUser not a SyVault memberInvite the user to SyVault or enable SCIM provisioning
Redirect loopRelayState issueEnsure Default RelayState is blank in JumpCloud
SAML response timeoutClock skew between serversEnsure JumpCloud and SyVault server clocks are within 5 minutes
"App not configured" in JumpCloudUser not assigned to the appAssign the user or their group to the SyVault application
info

JumpCloud supports SCIM 2.0 for automated user provisioning. Once SAML SSO is configured, you can enable SCIM to automatically create and deactivate SyVault members when users are assigned or removed in JumpCloud. See SCIM Provisioning for setup instructions.