> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# JumpCloud SSO (SAML)

> Use JumpCloud SAML to secure access to ngrok endpoints with single sign-on.

<Note>
  This guide refers to using SSO to authenticate access to your **endpoints**. You cannot use these instructions to set up SSO for logging into your ngrok account in the dashboard.
</Note>

This guide walks you through configuring JumpCloud as the primary Identity Provider for ngrok tunnels using single sign-on (SSO).
By integrating JumpCloud SSO with ngrok, you can:

* Restrict access to ngrok tunnels only to users authenticated via JumpCloud
* Use JumpCloud security policies and MFA authenticators
* Use JumpCloud's Dashboard to facilitate access to ngrok apps

## What you'll need

* A JumpCloud account with administrative rights to create apps.
* An ngrok Pay-as-you-go account with an authtoken or admin access to configure endpoints with SAML.

## 1. Configure JumpCloud

* Access the JumpCloud Console and sign in using your JumpCloud administrator account.
* On the left menu, click **SSO**, click **Get Started** or **+ Add New Application**, and then click **Custom SAML App**.
* On the **New Application** popup, enter `ngrok saml` in the **Display Label** field.
* Click the **SSO** tab, enter `https://ngrok-jumpcloud` in the **IdP Entity ID** field, enter temporary values (such as `https://temporary`) in both the **SP Entity ID** and the **ACS URL** fields, and then click **Activate**.

## 2. Download the IdP metadata

* On the **SSO** page of the JumpCloud Console, click your **Custom SAML App**, click the **SSO** tab, click **Export Metadata**, and then save the XML file on your desktop.

## 3. Configure ngrok

<Warning>
  The SAML Traffic Policy action is currently in [developer preview](/traffic-policy/actions/saml/). [Request access](https://dashboard.ngrok.com/developer-preview) to configure SAML via Traffic Policy.
</Warning>

Once you have developer preview access, create a `policy.yaml` file with the following content, replacing `YOUR_IDP_METADATA_XML` with the IdP metadata XML from JumpCloud:

```yaml theme={null}
on_http_request:
  - actions:
      - type: saml
        config:
          idp_metadata: 'YOUR_IDP_METADATA_XML'
```

The SAML action generates your ngrok SP Entity ID and ACS URL based on your endpoint URL. Refer to the [SAML action documentation](/traffic-policy/actions/saml/) for how to retrieve these values to complete your IdP configuration.

## 4. Obtain the SP metadata

Retrieve your SP metadata XML generated by the SAML action for your endpoint URL (see [SAML action documentation](/traffic-policy/actions/saml/)). In the metadata XML, confirm the SP Entity ID and ACS URL values; you upload this XML in the next step when linking JumpCloud with ngrok.

## 5. Link JumpCloud with ngrok

* Access the JumpCloud Console, click **SSO**, click your **Custom SAML App**, click the **SSO** tab, click **Upload Metadata**, and then open the XML metadata file you downloaded from ngrok (see [Obtain the SP metadata](#4-obtain-the-sp-metadata)).
* Click **Save**.

## 6. Start a tunnel

<Note>
  This step assumes you have an app running locally (for example, on `localhost:3000`) with the ngrok client installed.
</Note>

Run the following command, replacing `3000` with your local web app port and `YOUR_DOMAIN` with your ngrok domain:

```bash theme={null}
ngrok http 3000 --traffic-policy-file policy.yaml --url YOUR_DOMAIN
```

Copy the URL next to **Forwarding**. You use this URL to test the JumpCloud authentication.

## Grant access to JumpCloud users

JumpCloud allows administrators to restrict access to SSO apps—such as ngrok—via user group assignments.
By default, apps created in JumpCloud have no group assignments; in other words, nobody can use JumpCloud SSO to access ngrok until you assign a group to the app.
To assign JumpCloud groups to the ngrok app:

* On the left menu of the JumpCloud Console, click **SSO** and click the ngrok custom SAML app you created.
* On the app popup, click the **User Groups** tab, click the checkbox of the **All Users** group, and then click **Save**.
  Make sure to add JumpCloud users to this group when you create or manage users that need access to the ngrok app.

## Test the integration

* In your browser, launch an incognito window.
* Access your ngrok tunnel (for example, `https://jumpcloud-sso-test.ngrok.app` or using the copied endpoint URL).
* You should be prompted to log in with your JumpCloud credentials.
* After logging in, you should be able to see your web app.
