Pinpoint now supports SAML providers for Single Sign On. Please note that our current implementation does not yet support Just in Time account creation. This means that a user will only be logged in to Pinpoint if their account has already been created. This guide will however preemptively configure JumpCloud to include the First and Last name when it is authenticating, to allow this possibility in the future.
Steps to configure Pinpoint
- Log in to Pinpoint as a user who has the role of Company Manager.
- On the left hand side, in the menu under Settings, click Integrations:
3. If you do not see the SAML Integration listed, please contact your Pinpoint service representative and ask them to enable the SAML integration for your company:
4. Click Configure on the SAML Authentication integration:
5. You will be shown a list of URLs. At this stage we suggest you open an additional window and follow the steps in JumpCloud until the next section. You will be copy-pasting these details into JumpCloud.
Steps to configure JumpCloud
1. Log in to JumpCloud Administrator.
2. Go to JumpCloud Applications:
3. Click 'Add Application' (green plus):
4. Select 'Custom SAML App' at the bottom of the screen:
5. Fill in:
- Display label: Pinpoint
- IdP Entity ID: JumpCloud
- SP Entity ID: [Copy Entity ID from Pinpoint]
- ACS URL: [Copy Consumer URL from Pinpoint]
- SAMLSubject NameID: email
- SAMLSubject NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Signature algorithm: RSA-SHA256
- Sign Assertion: Tick
- Declare Redirect Endpoint: Tick
- IDP URL: This is up to you, but
pinpointwould usually suffice.
- Attributes → User Attribute Mapping → Add Attribute:
- Click Activate
- Click Continue
- Click back into the Pinpoint application
- Click the caret to open the Single-Sign On Settings
- Click on Export Metadata
- Open this metadata XML file and copy the contents:
Back over to Pinpoint
1. Paste the contents of the XML file into the Metadata field and press Save:
2. Contact your Pinpoint service representative and let them know you have completed this step. They will then activate the integration.
Back to JumpCloud
1. Configure user access to the Pinpoint application via your own internal policies. In my screenshot examples, I have created a group called Pinpoint, and I have added one user (myself) and one application (Pinpoint):
2. Once the Pinpoint representative has enabled the integration, and you have set up the groups who have access to the JumpCloud application, you will now be able to login.
3. Test this out by logging out of both Pinpoint and JumpCloud Admin. If you then switch back to the JumpCloud User Portal, clicking on the Pinpoint link should now log you in automatically:
4. Please note that if a user does not yet have an account in Pinpoint, they will see a notice screen instead. Add this user to Pinpoint manually for single-sign on to work: