How to Configure SaaS App Gating with JumpCloud
How to configure Jumpcloud and Twingate to protect access to SaaS applications
SaaS app gating with Twingate and Jumpcloud enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Authentication stage instead of being configured in the SaaS application directly.
Twingate Admin Console Prerequisites
-
Add your IdP’s authentication FQDN as a Resource. As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s JumpCloud instance (e.g.,
console.jumpcloud.com
), and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through JumpCloud will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the JumpCloud Conditional Access Policy configuration. -
Apply a Device-only Policy to Your IdP Resource. A Device-only Resource Policy, when applied to the IdP Resource (e.g.,
console.jumpcloud.com
), allows users to route traffic through the Connector to access the IdP login portal without authentication dependencies that can create access loops. This policy prevents the common “chicken-or-egg” scenario, where users can’t authenticate with the IdP because network access to the IdP portal requires prior authentication via Twingate. By allowing users to reach the IdP through a Device-only policy, they can meet sign-on requirements without encountering this authentication loop.
Multiple Connectors will usually be behind a NAT gateway and hence present a single public IP address. If your Connectors are not behind a NAT for outbound Internet access, then you may need to add multiple IP addresses to the zone. (This is not common.)
Create an IP List
- Log in to the Jumpcloud Admin Portal
- Go to SECURITY MANAGEMENT > Conditional Lists
- Click ( + )
- Give a name for List Name such as
Twingate Connectors
- Enter the publicIP address(es) associated with the Twingate Connectors. (Note: You can use a combination of individual addresses, CIDR notation, and a range in the same IP list.)
- Click save.
Create a Conditional Access Policy
From the Jumpcloud Admin Portal:
- Go to SECURITY MANAGEMENT > Conditional Policies.
- Click ( + ), then select SSO Applications.
- Enter a unique Policy Name.
- Select SSO Applications for which the policy should apply.
- Select Users & Groups for which the policy should apply.
- Select all if every condition must be met for the policy to apply.
- Add an IP List Condition: Click add conditions, then select IP List corresponding to Twingate Connectors.
- Click create policy.
More Information
You will find more information in the Jumpcloud Documentation with their guide to managing IP Lists and guide to Access Policies for SSO Apps.
Last updated 25 days ago