Configuring SSO Integration with JumpCloud

Follow the steps below one by one to integrate Parallels My Account with JumpCloud.

(1) Configure Organization's Domain(s)

A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.

• Add one or more domains your organization uses.

• Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.

• Make sure to add only the domains your organization can control.

The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.

Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:

$ dig TXT {yourdomain}.{com}

(2) Register Parallels Enterprise App and Configure SAML Settings

Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service.

The below process describes setting up a new Enterprise Application for JumpCloud:

1. Log into the JumpCloud administrative console. On the left-hand side panel, find the User Authentication section and select SSO Applications". Click the + Add New Application button on the new page.
2. At the Select Application step, choose the Custom Application option in the bottom right corner and click Next at the next screen.

3. At the Select the features you would like to enable step, choose Manage Single Sign-On (SSO) and Export users to this app (Identity Management) options. For the SSO functionality, choose the Configure SSO with SAML option. Click Next.
4. At the Enter general info step, fill out the parameters as you see fit and click Save Application in the bottom right corner. Make sure to devise a unique login URL under Advanced Settings. Note: We recommend you uncheck the box Show this application in User Portal. Clicking on the application icon from JumpCloud's user portal triggers IdP-initiated SSO, which is currently not supported.

5. Click Configure Application in the bottom right corner to continue setting up the Parallels application's integration with JumpCloud.

6. Select your application from JumpCloud's list of Configured Applications, and make sure you are switched to the SSO tab.

7. In the IdP Entity ID field, type in a unique name, e.g., "JumpCloudParallels".

8. Go to the SSO setup page of Parallels My Account, expand Step (4) Configure SAML Integration, and copy the URL parameters into the respective fields of the SSO tab on the JumpCloud side:

   1. From Service Provider Settings/Service Provider Entity ID (Parallels) to SP Entity ID (JumpCloud);

   2. From Service Provider Settings/Assertion Consumer Service URL (Parallels) to ACS URLs/Default URL (JumpCloud).

   Note: Alternatively, you may use the Download the metadata file link on the Parallels side and the Upload Metadata button on the JumpCloud side to populate the fields automatically.

9. IMPORTANT! Under the Sign* section of the JumpCloud SSO settings tab, make sure to select the Assertion and Response option.
10. Scroll down to the Attributes section and use the add attribute button to add the following attributes exactly as shown in the image below:
11. Under the GROUP ATTRIBUTES section, check the box titled include group attribute and set the parameter to groups, and click Activate SSO if it is not active yet.

12. Switch back to the Parallels My Account, expand Step (2) Register the Parallels Enterprise App, and check the Configuration in the IdP Directory is complete box.

While you have the SSO tab of your Parallels application open on the JumpCloud side, you can also finish configuring the SAML integration. Follow these steps:

1. On the JumpCloud side, in the same SSO tab of your Parallels app card, scroll to the very top and click the Export Metadata button. This will download an XML file to your computer.
2. On the Parallels My Account side, go back to the SSO setup procedure, expand Step (4) Configure SAML Integration, locate the Identity Provider Settings section and use the Upload the metadata file link to upload the XML file that you have just downloaded from JumpCloud.

   Note: If the upload fails for some reason, open the file in a text editor, and copy the contents as directed: the value entityID into the Identity Provider Entity ID field, the URL from the location value into the Identity Provider SSO URL field, and the public key from the <ds:X509Certificate></ds:X509Certificate> tag into the Public Certificate field.

3. Click Save to update the configuration and check the Configuration in the IdP Directory is complete box.

Proceed to the next step.

(3) Configure User Groups Mapping

You must create user groups associated with the Parallels Desktop application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should have business account admin privileges in the Parallels ecosystem. At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels, and one more for the users of Parallels Desktop for Mac. Once the group is created, you should add the group's name and ID in Step 3 of the integration configurator page in Parallels My Account.

Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for JumpCloud. It is assumed that you have appropriate permissions that allow you to manage user groups in JumpCloud. To create a user group for the Parallels enterprise application in JumpCloud:

1. In the JumpCloud admin console, find the User Management section on the left-hand side panel and click on User Groups.

2. Click on the + button to create a new group.

3. In the new group panel, give it a name (e.g., Parallels Desktop Administrators), and optionally, add a description, and click Save Group in the bottom right corner. At least two groups are required, one for the administrators with access to license management in Parallels My Account, and one for the app users who need to activate their Parallels Desktop licenses. Note: If any of the administrators also need to activate Parallels Desktop, you need to also add the to the user group.

4. Wait for the newly created group to appear on the group list and click on it to configure.

5. On the Details tab, scroll down to the Custom Attributes section, click the + Add Custom Attribute button, and select the type String.

6. In the Attribute Name field, put the name of the group attribute as specified in Step 11 of the (2) Register Parallels Enterprise App and Configure SAML Settings section above, in this case, groups.

7. For Attribute Value, see the address in your browser's address bar and identify the unique group ID in it, i.e., for https://console.jumpcloud.com/#/groups/user/67c0bea6ecc3120001efa8da/details the value will be 67c0bea6ecc3120001efa8da. Write down the identifier value for later use.

   Click Save Group and repeat for all the groups.

8. In JumpCloud, go back to the SSO Applications section, open the Parallels app, switch to the User Groups tab, check the boxes for both admin and user groups, and click Save.

9. Switch to the Parallels My Account integration page, expand Step (3) Configure User Groups Mapping, use the click to edit links to fill out the group name and UUID (the value from step 7 earlier) fields for administrators and users, as specified on the JumpCloud side, and click Save.

   Take care to use the correct names and UUIDs for each group.

Once the required groups have been created in the IdP Directory and associated with the Parallels app, move on to the next step.

(4) Configure SAML Integration

The SAML 2.0 is supposed to be configured for the Parallels enterprise application registered with Okta at the time of the Parallels enterprise application registration (refer the chapter (2) Register Parallels enterprise app and configure SAML settings earlier in this document for more details).

Make sure to check the Step 4 section on the integration configurator page at Parallels My Account. All fields must be filled in, and the Configuration in the IdP Directory is done option must be enabled.

If everything is set, proceed to the next step.

(5) Configure SCIM Integration

SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory. JumpCloud supports the SCIM 2.0 protocol, which is used for this purpose.

To set up SCIM integration with JumpCloud, do the following:

1. In JumpCloud, select SSO Applications from the left-hand side panel, and click on the Parallels app created earlier.

2. In the app panel, switch to the Identity Management tab.

3. Select API Type: SCIM API, leave the Use mTLS authentication box unchecked, SCIM Version: SCIM 2.0, switch to the My Account IdP integration page, and expand Step (5) Configure SCIM Integration.

4. Copy the value of the SCIM Base URL parameter to the Base URL field on the JumpCloud side, and the value of Bearer Token to the Token Key field, respectively.

5. On the JumpCloud side, type the email address of a user already included in one of the groups during the group mapping configuration and click Test Connection.
6. Once the connection tests successfully, click Activate, switch to the Parallels My Account IdP integration page, and check the Configuration in the IdP Directory is complete box in Step (5) Configure SCIM Integration.

Continue to the next step.

(6) Add users to the application groups

For users to be able to make use of the application to sign or activate with Parallels, they have to be created and added to the groups tied to the Enterprise Application.

To add users to the groups created in step (3), go to JumpCloud, select User Groups from the left-hand side panel, click on the required group, switch to the Users tab, and populate it with users as required.

Once it is done, or if you plan to add users later, switch back to the My Account SSO setup page, expand Step 6, "Add Users to Application Groups", and mark the Configuration in the IdP Directory is complete checkbox at the bottom of the section.

(7) Configure backup login

The backup login can be used to access your organization’s business account registered with Parallels bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the Business Profile section in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.