Skip to Content

Integrate OneLogin SSO with jumpserver

273  Manu Chacko November 30, 2021  Productivity & Efficiency Features, Tweaks & Configuration

Note: SAML is an authentication mechanism for web applications. It's based on web protocols and it cannot be used for user authentication over SSH.

 

1. Login to OneLogin and Add Application.

 

 

2. Search for SAML TEST and select SAML Test Connector (Advanced)

 

3. Change the Display name and save 

4. Select the configuration tab from the right panel and fill in the Application details

 

      Audience (EntityID)Entity ID ( you can find it from ezeelogin GU > Settings > SAML)     

     Recipient  - Assertion Consumer Service URL ( you can find it from ezeelogin GU > Settings > SAML)

     ACS (Consumer) URL Validator - Entity ID ( you can find it from ezeelogin GU > Settings > SAML)

     ACS (Consumer) URL

     Single Logout URL - Single Logout Service URL  ( you can find it from ezeelogin GU > Settings > SAML)   

 

5. Select the SSO tab from the right panel & Copy the Issuer URL and paste it  to Metadata URL  on Ezeelogin GUI > Settings > SAML Metadata URL 

 

6. Click on the fetch button, it will be auto-fill the SAML setting and SAVE it

7.  Select users tab from left panel and click on new user then provide first name, last name and email to save the user.

8.  Select applications from left panel and click on add icon to map application to user.

9.  Select application from drop down and then save application.

 

10.  Change Web panel Authentication to SAML from Ezeelogin GUI > Settings > General >Authentication

 
11. Enable Auto Create User from Ezeelogin GUI -> Settings -> General -> Security -> Enable Auto Create User

 

12. Login to Ezeelogin GUI with SAML authentication .
 
13. After logging into GUI, you need to reset the password and security code of the SAML user under Account -> Password in order to SSH to Ezsh shell.
 
14. After resetting the password and security code you can ssh to the Ezsh shell (using Terminal or putty)with the saml username as shown below in the screenshot
 
15. If you are SSH ing with 2FA  enabled using Putty or Terminal it would prompt you to enter the 2FA codes, The 2FA step can be disabled for SAML Authentication under Settings > Two Factor Authentication> Skip Two Factor Authentication for SAML. The user will be able to ssh without being prompted for the 2FA codes only if the user is logged into the web panel, otherwise if the user is not logged into the webpanel it would prompt for the 2FA codes.
 
We would recommend you to use the webssh shell when you are using SAML authentication. Using webssh shell is a lot more convenient as you would not have to worry about the SSH password or the security code for the users.

Set up webssh console in Ezeelogin and ssh via browser

You need to add different email address for each users. By default ezeelogin uses email address for creating users. 

If you want to add an existing user in ezeelogin to SSO, Add the user with exact username, email address  as follows. (Ezeelogin will verify with the email address of the users by default). Make sure to add the email address for the Ezeelogin Administrator user.

          Saml authentication is not supported for slave  if the URL is IP based. If you want to authenticate  slave using saml you have to use domain name
Rating: 5 (1 Votes)