SAML2 Authentication⚓︎
Note:SAML2 authentication is a feature of JumpServer Enterprise Edition
tip
- Single Sign on with SAML2.
1 Configure Authentication⚓︎
- Clicking on
Authentication Configuration
at left-side menu inSetting
page,and then selectEnable
for SAML2 authentication.
Attention
- If there are no trusted certificates available, manual generation is required.
openssl genrsa -out server.key 2048 # The generated item is a private key.
openssl req -new -x509 -days 3650 -key server.key -out server.crt -subj "/C=CN/ST=mykey/L=mykey/O=mykey/OU=mykey/CN=domain1/CN=domain2/CN=domain3" # The certificate
- Get information of SP metadata
- Visit http://your_jms_url/core/auth/saml2/metadata/ and save metadata content(It can be saved to file and import to idp directly)
2 Configure IDP⚓︎
Tip
- Taking keycloak as an example
- Create realm,and set
Name
custom,then clickSave
.
- Click on the
Client
on the left and click on theCreate
in the upper right corner to create a new client.
- Import the SP metadata file you just saved, then click
Save
to save it.
- Click on the submenu
Settings
of theClient
menu to make configuration modifications. Client Signature Required
update toOFF
。IDP Initiated SSO URL Name
update to the address information ofTarget IDP initiated SSO URL
.
- Click on
Add Roles
in the submenuRoles
, where the name can be customized.
- Click on the submenu
Mappers
to create the following attribute mapping.
- Click submenu
Scope
then configure following:
- Click on left side menu
Users
,then create new user at upper right corner.
- Click
Credentials
submenu,then set password of account newly created.
- Click on the left-side menu item "Realm Settings" then select the sub-menu "General." then navigate to the location indicated in the image below to access the Metadata for the IDP. Alternatively, you can refer to the official document to retrieve the Metadata using the API.
3 Configure SAML2⚓︎
- Once you have obtained the IDP Metadata, you can integrate it into JumpServer's SAML2 authentication settings and proceed to enable SAML2 authentication.