Howto: Setup TAG MCS to work with Jumpcloud SSO/SAML

Hi,
as promised I am providing a writeup on how to get TAG MCS to use Jumpcloud SAML to work. Overall its not that different to okta, but it really helps to have a screenshot of the settings that actually work, as SAML config is often very confusing with mixed terms and requirements between the various vendors and software.

First in Jumpcloud:
New SSO application → Custom → Next → Manaage SSO, Configure with SAML.Give it a Name, logo etc however you like.

Then in SSO, the fields you need to set:
IdP Entity ID: Make up a unique word for your environment - eg: tag-mcs-broadcast-myorg

SP Entity ID:

https://<your tag URL>/api/5.0/auth/saml/login/callback

ACL URLS:
https://<your tag URL>/api/5.0/auth/saml/login/callback

I went with for the format
SAML NameID email
and
nameid format:
1.1 EmailAddress

You can probably get others to work - the Okta integration does it different, but this worked for me, and was fine (users appear as their email address which is fine for us).

Leave Sign and Default Relaystate default

Login URL:
https://<your tag URL>/login

Tick Group Attribute and put in the word ‘group’ in the box. Hit Save.

Now go back into Jumpcloud and download the IDP Certificate. It will be in pem format, so just open it in notepad or something.

Now back into the MCS go to Management → Identity Providers
For entity ID/Issuer put in the IDP Entity ID you decided eg: tag-mcs-broadcast-myorg

For the Entrypoint IDP URL field, copy that from Jumpcloud SSO settings for your MCS - IDP URL. It will be something like https://sso.jumpcloud.com/saml2/<name>
and paste it in there

Then paste in the certificate you got from the IDP Certificate.

You should have a SAML login button now and be able to login, but have no roles.
You then just need to create a role that matches the Jumpcloud group that has access to the Application.
So in the Jumpcloud SSO settings, make sure you add some groups to be able to use the application, and then in MCS, make a Role that matches the name of the Jumpcloud group, and assign permissions.
Then users will get the permissions of that role when they login.

I haven’t tested fine grained roles yet, but basic admin rights works fine.

Good luck!

Thank you so much for taking the time to share this detailed write-up on integrating TAG MCS with JumpCloud using SAML!
This is exactly the kind of knowledge sharing we envisioned when launching the community portal enabling customers to learn from each other’s experience and accelerate success across different environments.
Your step-by-step guide, especially with the practical notes and clarifications, will no doubt be incredibly helpful for others navigating similar setups.
We truly appreciate your contribution, and we encourage others to share their tips and findings as well.

Thanks again!
Eitan