SaaS app gating with Twingate and Jumpcloud enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Authentication stage instead of being configured in the SaaS application directly.

Twingate Admin Console Prerequisites

As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Jumpcloud and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Jumpcloud will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Jumpcloud Conditional Access Policy configuration.

Create an IP List

• Log in to the Jumpcloud Admin Portal
• Go to SECURITY MANAGEMENT > Conditional Lists
• Click ( + )
• Give a name for List Name such as Twingate Connectors
• Enter the publicIP address(es) associated with the Twingate Connectors. (Note: You can use a combination of individual addresses, CIDR notation, and a range in the same IP list.)
• Click save.

Create a Conditional Access Policy

From the Jumpcloud Admin Portal:

• Go to SECURITY MANAGEMENT > Conditional Policies.
• Click ( + ), then select SSO Applications.
• Enter a unique Policy Name.
• Select SSO Applications for which the policy should apply.
• Select Users & Groups for which the policy should apply.
• Select all if every condition must be met for the policy to apply.
• Add an IP List Condition: Click add conditions, then select IP List corresponding to Twingate Connectors.
• Click create policy.