Skip to main content

Connecting Single Sign-On (SSO/SAML) & Juro

Integrate Juro with your SSO platform to automate platform access and streamline account creation

Tom Langley avatar
Written by Tom Langley
Updated over a month ago

Contents πŸš€

  1. Introduction

  2. Enabling SSO/SAML

    1. For Okta customers

    2. For Microsoft SSO (e.g. Azure, Entra, ADFS) customers

    3. For Customers using other SSO providers (e.g. JumpCloud, OneLogin) 🌞

  3. Enabling provisioning

    1. SCIM provisioning with Okta

    2. SCIM provisioning with Microsoft

    3. Features supported by SCIM

  4. Enforcing SSO logins

Introduction πŸ‘‹

You can automate platform access, streamline account creation and enhance your security profile by connecting your SSO instance to Juro.
​
Juro offers SSO/SAML functionality across SSO providers, and SCIM for Okta and Microsoft customers specifically.

Enabling SSO/SAML πŸ”‘

πŸ’‘ NOTE: Only users with Organisation Admin privileges in Juro and your SSO platform can enable/request the enablement of SSO/SAML for your Juro environment.

For Okta customers β˜€οΈ

To enable SSO through your Okta instance:

  1. Go to Juro's Okta integration on Okta's website.

  2. Click + Add Integration and select your Okta org.

  3. Set the subdomain to app.

  4. Go to the Sign On tab of the added application configuration and select View Setup Instructions; you'll be directed to a page similar to this one.

  5. In the AUTOMATIONS tab in Juro, open the Integrations portal and click the SAML SSO panel.
    ​
    Where the panel says Get in touch, please contact the Juro Support Team to enable this feature for you.
    ​

  6. Once SSO is enabled, paste your metadata URL into the URL field and click Connect.
    ​

After these steps are complete, your users can log in to Juro through SSO by clicking Sign in with SSO after they have been added to Juro through Settings > Members & Groups > + Add Members.

For Microsoft SSO (e.g. Azure, Entra, ADFS) customers πŸŒ”

πŸ’‘ NOTE: As well as being a Juro Org Admin, you must be a Cloud Application Administrator in your Microsoft SSO environment.

To enable SSO through Azure, in your Azure Active Directory:

  1. Click Enterprise Applications, + New application, and finally + Create your own application.

  2. Set "Juro" as the Input name and check the Integrate any other application you don't find in the gallery (Non-gallery) option.
    ​

  3. Click Manage, then Single sign-on and select SAML
    ​

  4. In the Basic SAML Configuration panel on the right, configure the following Juro-related information:
    ​
    Identifier (Entity ID): https://app.juro.io

    Reply URLs (Assertion Consumer Service URL):
    ​
    ​https://app.juro.com/api/auth/saml/onboarding/callback
    ​https://sandbox.juro.io/api/auth/saml/callback
    ​https://sandbox.juro.io/api/auth/saml/onboarding/callback
    ​https://test.juro.io/api/auth/saml/callback
    ​https://test.juro.io/api/auth/saml/onboarding/callback
    ​https://preprod.juro.io/api/auth/saml/callback
    ​https://preprod.juro.io/api/auth/saml/onboarding/callback

  5. Set https://app.juro.com/api/auth/saml/callback as the default
    ​

  6. Next, configure the Attributes & Claims and input the following information into the Claim name, which is under Additional claims:
    ​
    - For email, the value will be user.mail.

    - For firstName, the value will be user.givenname

    - For lastName, the value will be user.surname

  7. Finally, on the SAML Signing Certificate page, copy the App Federation Metadata Url
    ​

  8. In the AUTOMATIONS tab in Juro, open the Integrations portal and click the SAML SSO panel.
    ​
    Where the panel says Get in touch, please contact the Juro Support Team to enable this feature for you.
    ​

  9. Once SSO is enabled, paste your metadata URL into the URL field and click Connect.
    ​

After these steps are complete, your users can log in to Juro through SSO by clicking Sign in with SSO after they have been added to Juro through Settings > Members & Groups > + Add Members.

Customers using other SSO providers (e.g. JumpCloud, OneLogin) 🌞

To enable SSO for other providers apart from Okta or Microsoft:

  1. Configure a Claim nameID with the user's email as the value.

  2. Configure the following Juro-related information:
    ​
    - Service Provider Identifier (Issuer ID, Entity ID): https://app.juro.io

    - Assertion Consumer Service URL: https://app.juro.com/api/auth/saml/callback

  3. Whitelist the following Juro ACS URLs on your side (this is required to enable different environments):
    ​
    ​https://app.juro.com/api/auth/saml/callback
    ​https://app.juro.com/api/auth/saml/onboarding/callback
    ​https://sandbox.juro.io/api/auth/saml/callback
    ​https://sandbox.juro.io/api/auth/saml/onboarding/callback
    ​https://test.juro.io/api/auth/saml/callback
    ​https://test.juro.io/api/auth/saml/onboarding/callback
    ​https://preprod.juro.io/api/auth/saml/callback
    ​https://preprod.juro.io/api/auth/saml/onboarding/callback

  4. In the AUTOMATIONS tab in Juro, open the Integrations portal and click the SAML SSO panel.
    ​
    Where the panel says Get in touch, please contact the Juro Support Team to enable this feature for you.
    ​

  5. Paste your metadata URL into the URL field and click Connect.
    ​


If you need a regex for whitelisted URLs: ^https:\/\/(app|preprod|sandbox|test)\.juro\.(io|com)\/api\/auth\/saml\/(onboarding\/)?callback$

After these steps are complete, your users can log in to Juro through SSO by clicking Sign in with SSO after they have been added to Juro through Settings > Members & Groups > + Add Members.

Enabling provisioning 🏁

Once SSO/SAML is enabled, it is possible to set up Just-In-Time provisioning, where new users can be assigned to a group when logging in via SSO for the first time.
​

To enable Just-In-Time provisioning:

  1. Confirm which Juro group you would like to add all new users to

  2. Contact the Juro Support Team (which you can do by clicking the Intercom icon in the bottom right-hand corner of this tab) and let them know that you'd like to enable provisioning for your environment.

We'll get back in touch to let you know when provisioning has been enabled (don't worry, this won't take too long). Once provisioning has been enabled, all new users will be assigned to a group of your choice when logging in for the first time.

Enabling SCIM provisioning πŸ€–

πŸ’‘ NOTE: SCIM provisioning can be enabled for Okta and Microsoft SSO (Entra, Azure, etc) customers only.

SCIM allows for a more granular approach to provisioning. SCIM allows you to add members to specific groups from your SSO platform into Juro.

SCIM Provisioning πŸ”§

In the AUTOMATIONS tab in Juro, open the Integrations portal and click the SCIM PROVISIONING panel.


​Where the panel says Get in touch, please contact the Juro Support Team to enable this feature for you.


​

Once connected, Juro will provide you with a unique API key and a base URL.

https://app.juro.com/xapi/scim (base URL)

SCIM provisioning with Okta πŸ”§

  1. In Okta, go to the To App provisioning settings

  2. Enable the Create Users, Update User Attributes and Deactivate Users options

  3. Select email as the Application username format in the Sign On applications tab

  4. Using the accessLevelName attribute, you can set someone as an Org Admin using the org_admin attribute.

  5. Optional: Assign users to the Juro app. For more information on this step, please visit this page.

SCIM Provisioning with Microsoft πŸ”§

  1. In your Microsoft SSO platform, go to the Juro application (created in this step), click Manage and then Provisioning.

  2. Open the Provisioning portal and click Connect your application to open the Admin Credentials form.
    ​
    In the tenant URL field, enter https://app.juro.com/xapi/scim

    In the secret token field, enter the API key provided to you by Juro Support.

  3. Click Test Connection to ensure that there are no errors. If you run into any errors, please contact Juro Support for further guidance.

  4. You'll need at least one group in your Microsoft SSO platform to synchronise with Juro. If you need to create a new group, you can do so by first creating a security-type group. To do this:
    ​
    1. Navigate to Home > Groups | Overview screen
    2. Click New group

    3. Fill in the Group name. Other values can be kept as they are

    4. Click Create.

  5. Next, assign members to the newly created group. To do this:
    ​
    1. Click on the group in the group list
    2. Click Members and then Add members

  6. With the group created, it is time to choose how you would like to provision your users in Juro.
    ​
    There are two options available: Manual provisioning or Automatic provisioning.
    ​
    ​OPTION 1: Manual provisioning will create a group in Juro with all of the users at the click of a button. Any users not present in Juro will be automatically created as Juro users. To set this up:
    ​
    1. Search for the desired group in the Click the 'Provision' button section of your Microsoft SSO interface
    2. Select the users to be provisioned within that group
    3. Click Provision.
    ​
    ​OPTION 2: Automatic provisioning will create the group in Juro and does not require you to click Provision each time a new user is added to the group on Microsoft SSO. To set this up:
    ​
    1. Navigate to Users and groups
    2. Click '+Add user/group' button

    3. Click on β€˜Users and groups’ menu item and using search functionality select the group you wish to be added to the application, so that it and its contents would be auto-provisioned to Juro.

πŸ’‘NOTE: Groups already present in Juro but not linked to a corresponding group in Microsoft Entra will be left intact. Consider removing those if you wish to control provisioning solely via an automatic process.

πŸ’‘NOTE: Currently, direct user assignment and provisioning (as opposed to group assignment and provisioning) don’t trigger any changes in Juro since all permission assignments are done via assigning users to groups.

Features supported by SCIM πŸ‹οΈ

The following provisioning features are supported through SCIM:

  • Push New Users: users created in Okta/Microsoft SSO are also created in Juro and added to your organization

  • Push Profile Updates: updates made to the Okta/Microsoft SSO user profile are pushed to Juro

πŸ’‘ NOTE: the userName attribute update operation is not supported (whenever this attribute is updated a new user will be created instead). The email attribute is also not supported.

  • Push Groups: groups (and their members) in Okta/Microsoft SSO are synchronized to Juro as Juro Groups.

  • Import New Users (Okta only): New users created in Juro will be downloaded and turned into new AppUser objects, for matching against existing Okta users

  • Import Groups (Okta only): Juro Groups from your organization will be imported into Okta as groups

  • Push User Deactivation: deactivating a user or disabling application access in Okta/Microsoft SSO removes the user from all assigned groups in your Juro organization.

Enforcing SSO logins ⏬

You may choose to enforce single sign-on (SSO) logins by disabling username/password or specific login methods like Google SSO. It's recommended to do this only when SSO is fully operational for your Juro workspace.

Contact the Juro Support Team to enforce SSO logins. You can reach them by clicking the Intercom icon in the bottom right-hand corner of this tab and informing them of the following information:

  • If SSO has been set up and fully configured for your Juro Workspace

  • Which login methods to disable (Google, username/password, both, etc)

πŸ’β€β™‚οΈ As always, our Support Team is happy to help you with anything further if needed. Start a chat with us right here by clicking the Intercom button in the bottom-right-hand corner of this page.

Alternatively, you can email your query to support@juro.com πŸš€

Did this answer your question?