Skip to content

Issue using SAML auth provider with Jumpcloud

Created by: beyang

From a user:

I’m using JumpCloud as my Idp. But there’s no application for Sourcegraph on Jumpcloud.
So I’m setting up custom SAML. But it’s not working what I intended…
I followed following guide. And set following fields.
https://support.jumpcloud.com/customer/en/portal/articles/2551066-single-sign-on-sso-with-generic-saml-2-0-connector

IDP ENTITY ID: Jumpcloud
IDP PRIVATE KEY: I used my own private key which is used in another JumpCloud applications.
IDP CERTIFICATE: I used my own certificate which is used in another JumpCloud applications.
SP ENTITY ID: sourcegraph-sp
ACS URL: https://sourcegraph.example.com/.auth/saml/acs
SP CERTIFICATE: I generated new certificate for Sourcegraph which is encoded with X.509 encoding.
SAMLSUBJECT NAMEID: email (default)
SAMLSUBJECT NAMEID FORMAT: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (I choose from the dropdown list)
CONSTANT ATTRIBUTERS: Added nothing.
USER ATTRIBUTES: Added nothing.
SIGNATURE ALGORITHM: RSA-SHA256
SIGN ASSERTION: true
DEFAULT RELAYSTATE: (Empty)
IDP-INITIATE URL: (Empty)
DECLARE REDIRECT ENDPOINT: (Unchecked)
IDP URL: https://sso.jumpcloud.com/saml2/sourcegraph

In Sourcegraph management console:
{
  “type”: “saml”,
  “IdentityProviderMetadataURL”: “https://console.jumpcloud.com/api/organization/my-organization-id/applications/my-sourcegraph-saml-application-id/metadata.xml”,
  “nameIdFormat”: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”,
  “serviceProviderCertificate”: “-----BEGIN CERTIFICATE----- ..”,
  “serviceProviderPrivateKey”: “-----BEGIN PRIVATE KEY-----  ….“,
}

There are two question.
1. Am I set right settings?
2. When I set serviceProviderCertificate and serviceProviderPrivateKey with my new private key and certificate, it shows regex validation error.
But the certificate string starts with “-----BEGIN CERTIFICATE----- “ so do private key.
How can I copy certificate file into settings?
I used this command: $ echo $(cat server.key)

And I generated keys with following commands:
$ openssl genpkey -out rsakey.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -new -key rsakey.pem -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey rsakey.pem -out server.crt

Secondary issue: see if we can add out-of-the-box Sourcegraph configurations to Jumpcloud, Okta, and other ID providers.