Vectis
All guides

SSO with JumpCloud

JumpCloud is the preferred IdP for many MSPs because it unifies directory + device + SSO in one product. Vectis integrates via OIDC or SAML — OIDC is the simpler setup.

What you’ll need

  • JumpCloud admin access
  • Vectis admin role (configured at Admin → SSO)
  • The JumpCloud user group whose members should be able to log into Vectis

Option A – OIDC (recommended)

  1. In the JumpCloud admin console, go to SSO Applications → Get Started. Pick Custom OIDC App.
  2. Name it Vectis. Upload a logo if you want a branded login picker in the JumpCloud user console.
  3. Under SSO:
    • Redirect URIs — paste the Vectis OIDC redirect URI (ends in /api/auth/callback/sso-oidc).
    • Login URL — set to your Vectis instance URL so the JumpCloud user console launches directly into login.
    • Client Authentication Type Client Secret Post.
    • Standard Scopes — check openid, profile, email.
  4. Save. JumpCloud shows the Client ID and Client Secret. Copy both immediately — the secret is only shown once.
  5. Attach the user group(s) that should be able to log in. Under User Groups on the app page, add your Vectis-operators group.
  6. In Vectis Admin → SSO, pick OIDC. Paste the client ID and secret. For Issuer URL, use https://oauth.id.jumpcloud.com/. Leave endpoint overrides blank. Save and test.

Option B – SAML 2.0

  1. In JumpCloud, go to SSO Applications → Get Started and pick Custom SAML App.
  2. Name it Vectis. On the SSO tab:
    • IdP Entity ID — keep JumpCloud’s auto-populated value.
    • SP Entity ID — use the Vectis SAML ACS URL (or a distinct human-readable value that you’ll also enter into Vectis’s SP Entity ID field).
    • ACS URL — paste the Vectis SAML ACS URL (ends in /api/auth/sso/saml/callback).
    • SAMLSubject NameID — set to email.
    • SAMLSubject NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    • Sign the Response (not just the Assertion). Vectis requires both to be signed.
  3. Under Attributes, add email mapped to the user’s email and displayName mapped to their display name (or concatenated first+last).
  4. Save. JumpCloud shows the IDP URL and an IDP Certificate (click download to get the PEM). Copy both.
  5. In Vectis Admin → SSO, pick SAML. Paste the IDP URL into SSO Entry Point URL and the PEM certificate into IdP Certificate. Save.
JumpCloud also supports device-trust policies that can gate SSO on a managed, compliant device. Vectis doesn’t need anything specific for this — the policy runs at the IdP before the assertion ever reaches us.

Troubleshooting

  • “user not in group” on login — the JumpCloud user isn’t attached to the app’s user group. Add them in User Groups.
  • Assertion not signed — the JumpCloud SAML app defaults to signing the Assertion only. Vectis requires signing the Response too. Flip Sign Response to true in the SSO tab.
  • Zombie group attachments — if a user leaves the group, JumpCloud revokes SSO on the next login, but their Vectis account remains with the role they had. Use Admin → Users to deactivate them in Vectis too.

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

SSO with JumpCloud | Vectis