Configure Single Sign-On between JumpCloud and Atomicwork using SAML 2.0. Once complete, your users sign in to Atomicwork with their existing JumpCloud credentials — no separate password, with centralized access control through your JumpCloud directory.
Why use JumpCloud SAML SSO
Enabling JumpCloud SAML SSO offers:
Single sign-on: Users log in with their JumpCloud credentials, removing the need for a separate Atomicwork password.
Improved security: Authentication is handled by JumpCloud, so passwords stay inside your identity provider — Atomicwork never sees or stores them.
Before you begin
You need:
A JumpCloud account with Administrator privileges.
Org admin access on Atomicwork
Only one SSO provider can be active at a time. If you already have another SSO provider enabled (Azure AD, Okta, Google, or another option), disable it first before enabling JumpCloud SSO.
Navigate to Settings > Security in your Atomicwork tenant in a second browser tab before you start. Atomicwork pre-populates two values — the SP Entity ID and the ACS URL — that you'll paste into JumpCloud.
How the values flow
Atomicwork → JumpCloud: Copy the SP Entity ID and the ACS URL from the Atomicwork Security page into the JumpCloud custom SAML connector.
JumpCloud → Atomicwork: Copy the JumpCloud IdP metadata URL and paste it into the matching field in Atomicwork.
Set up JumpCloud SAML SSO
Step 1: Create a custom SAML application in JumpCloud
Sign in to the JumpCloud Admin Portal.
From the left navigation, open User Authentication > SSO Applications.
Click + Add New Application, then choose Custom SAML Application.
In the General Info tab, enter a display name (for example, "Atomicwork") and click Next.
Step 2: Enter the SP Entity ID and ACS URL
In Atomicwork, open Settings > Security > JumpCloud SSO. Atomicwork displays the SP Entity ID and the ACS URL — these are the values you'll paste into JumpCloud.
In the JumpCloud SSO tab, paste the SP Entity ID from Atomicwork into the SP Entity ID field.
Paste the ACS URL from Atomicwork into the ACS URL field. Leave this as the only ACS URL (index 0) — do not add a second one.
Only one ACS URL is needed. Atomicwork uses JumpCloud's default (index 0) ACS URL for all sign-ins. Adding a second ACS URL won't be used and can cause confusion later.
Step 3: Configure assertion signing and NameID format
Under SAMLSubject NameID, choose email.
Set SAMLSubject NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.Set Sign (or Signature) to Assertion. If JumpCloud only offers a combined option, choose Response & Assertion (also labeled Both in some JumpCloud versions).
Required: sign the assertion. Atomicwork only accepts SAML assertions that are signed at the assertion level. If JumpCloud is configured to sign only the outer SAML Response (without signing the assertion inside it), the integration will fail at install time with an error asking you to set Sign = Assertion in JumpCloud.
Step 4: Confirm the attribute mappings
Under Attributes, add the following three mappings using the standard JumpCloud Basic attribute format:
Service Provider Attribute Name | JumpCloud Attribute Name |
|
|
|
|
|
|
Click Activate to save the application.
Step 5: Copy the JumpCloud IdP metadata URL
After activating the application, JumpCloud exposes an IdP metadata URL that contains its signing certificate, sign-in endpoints, and entity ID — everything Atomicwork needs to trust JumpCloud.
Open the application you just created in JumpCloud.
Under the SSO tab, locate JumpCloud Metadata URL (sometimes labeled IdP Metadata URL).
Copy the URL — you'll paste it into Atomicwork in the next step.
Step 6: Paste the metadata URL into Atomicwork
Switch back to the Atomicwork JumpCloud SSO page.
Paste the JumpCloud Metadata URL into the JumpCloud SAML metadata URL field.
Click Connect to activate SSO for your organization.
Atomicwork imports the metadata, validates that the signing certificate is present, and activates the integration. If validation fails, you'll see a specific error indicating what to fix in JumpCloud.
Step 7: Assign users in JumpCloud
In JumpCloud, open the application you created and switch to the User Groups tab.
Assign the user groups (or individual users) that should be able to sign in to Atomicwork.
Step 8: Test the sign-in
Open an incognito browser window and navigate to your Atomicwork workspace login page. Click Continue with SSO (or equivalent) and enter your work email. You should be redirected to JumpCloud, authenticate, and land back inside Atomicwork.
Troubleshooting
Symptom | Cause | Resolution |
Install fails with "set Sign = Assertion in JumpCloud" | JumpCloud is signing only the outer SAML Response, not the assertion itself. | In your JumpCloud SAML application, change the Sign setting to Assertion or Response & Assertion (Both). Save, then click Connect again in Atomicwork. |
"Enable" button is disabled with a tooltip about an existing SSO provider | Another SSO provider (Azure AD, Okta, Google, etc.) is already active. Only one SSO can be enabled at a time. | Disable the existing SSO provider in Settings > Security first, then enable JumpCloud SSO. |
"JumpCloud SSO is not enabled for this tenant" | JumpCloud SSO is not yet available on your Atomicwork workspace. | Contact Atomicwork support to enable JumpCloud SSO for your workspace. |
"Invalid signature" or "Signature validation failed" after JumpCloud sign-in | The JumpCloud metadata URL was copied while a certificate change was in flight, or the signing certificate is missing from JumpCloud's metadata. | Re-copy the JumpCloud Metadata URL from your JumpCloud application and paste it again in Atomicwork. Confirm assertion signing is still enabled in JumpCloud. |
Loop back to the sign-in page | A mismatched ACS URL — often a trailing space or the ACS URL was added at a non-zero index in JumpCloud. | Verify the ACS URL in JumpCloud matches the one shown in Atomicwork exactly. Make sure it's the only ACS URL configured. |
Email or name missing in the user profile | The attribute mappings in JumpCloud are missing or use unexpected names. | In JumpCloud, open the application's Attributes tab and confirm the three mappings — |
User can authenticate but can't access Atomicwork | The user isn't assigned to the JumpCloud SAML application. | In JumpCloud, open the application's User Groups tab and assign the user (or a group containing them). |
Related articles
If you also use JumpCloud for user provisioning and identity management, see JumpCloud: Overview and setup.