Jumpcloud SaaS App Gating
Let's configure Jumpcloud to only allow access to SaaS Applications when behind Twingate.
SaaS app gating with Twingate and Jumpcloud enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Authentication stage instead of being configured in the SaaS application directly.
Twingate Admin Console Prerequisites
As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Jumpcloud and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Jumpcloud will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Jumpcloud Conditional Access Policy configuration.
Multiple Connectors will usually be behind a NAT gateway and hence present a single public IP address. If your Connectors are not behind a NAT for outbound Internet access, then you may need to add multiple IP addresses to the zone. (This is not common.)
Create an IP List
- Log in to the Jumpcloud Admin Portal
- Go to SECURITY MANAGEMENT > Conditional Lists
- Click ( + )
- Give a name for List Name such as
- Enter the publicIP address(es) associated with the Twingate Connectors. (Note: You can use a combination of individual addresses, CIDR notation, and a range in the same IP list.)
- Click save.
Create a Conditional Access Policy
From the Jumpcloud Admin Portal:
- Go to SECURITY MANAGEMENT > Conditional Policies.
- Click ( + ), then select SSO Applications.
- Enter a unique Policy Name.
- Select SSO Applications for which the policy should apply.
- Select Users & Groups for which the policy should apply.
- Select all if every condition must be met for the policy to apply.
- Add an IP List Condition: Click add conditions, then select IP List corresponding to Twingate Connectors.
- Click create policy.
You will find more information in the Jumpcloud Documentation with their guide to managing IP Lists and guide to Access Policies for SSO Apps.
Last updated 18 hours ago