Tutorials

How to Configure JumpServer OIDC SSO with Microsoft Azure Entra ID

#JumpServer#OIDC#SSO#Azure Entra ID
How to Configure JumpServer OIDC SSO with Microsoft Azure Entra ID

Single sign-on (SSO) lets your team access JumpServer with the same corporate credentials they already use in Microsoft 365. By integrating JumpServer with Microsoft Azure Entra ID (formerly Azure Active Directory) through OpenID Connect (OIDC), you centralize authentication, reduce password sprawl, and align privileged access management with your existing identity governance.

This tutorial walks you through the complete setup: registering an application in Entra ID, collecting the required OIDC endpoints, and configuring JumpServer to authenticate users via Azure SSO.

What You Will Learn

  • How to register a JumpServer application in Microsoft Entra ID
  • How to obtain the Client ID, Client Secret, and OIDC endpoint URLs
  • How to enable and configure OIDC authentication in JumpServer
  • How to verify Azure Entra ID SSO login end to end

Prerequisites

Before you begin, make sure you have:

  • A JumpServer instance (Community or Enterprise Edition) reachable over HTTPS
  • An Azure subscription with permissions to create app registrations in Microsoft Entra ID
  • The public base URL of your JumpServer deployment (for example, https://jump.example.com/)
  • Administrator access to JumpServer System settings → Authentication

Important: The JumpServer redirect URI must use HTTPS and follow this exact path pattern:

https://<your-jumpserver-domain>/core/auth/openid/callback/

Part 1: Configure Microsoft Entra ID (Azure Portal)

All identity-provider configuration happens in the Azure portal under Microsoft Entra ID.

Step 1: Open Microsoft Entra ID

Sign in to the Azure portal. In the top search bar, type Entra ID and select Microsoft Entra ID from the results.

Search for Microsoft Entra ID in the Azure portal

Step 2: Register a New Application

From the Entra ID overview page, click + Add and choose App registration.

Create a new app registration from the Entra ID overview page

On the Register an application page, configure the following:

Field Value
Name JumpServer (or any descriptive name)
Supported account types Accounts in this organizational directory only (single tenant)
Redirect URI — Platform Web
Redirect URI — URL https://<your-jumpserver-domain>/core/auth/openid/callback/

Replace <your-jumpserver-domain> with your actual JumpServer hostname. The trailing slash is required.

Click Register to create the application.

Register the JumpServer application with the OIDC redirect URI

Step 3: Copy the Application (Client) ID

After registration, Azure opens the application Overview page. Copy and save the Application (client) ID — you will enter this value as the Client ID in JumpServer.

You may also note the Directory (tenant) ID; it is used to build the OIDC endpoint URLs in the next step.

Copy the Application (client) ID from the app registration overview

Step 4: Retrieve OIDC Endpoint URLs

On the same Overview page, click Endpoints in the top menu. A panel opens on the right listing all protocol endpoints.

  1. Locate OpenID Connect metadata document and copy its URL.
  2. Open that URL in a new browser tab. The JSON document lists all OIDC endpoints for your tenant.

From the metadata document (or the Endpoints panel), collect the following values for JumpServer:

JumpServer Field Azure Source
Provider endpoint Issuer URL — https://login.microsoftonline.com/<tenant-id>/v2.0
Authorization endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
Token endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
JWKS endpoint https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys
Userinfo endpoint https://graph.microsoft.com/oidc/userinfo
End session endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/logout

Replace <tenant-id> with your Directory (tenant) ID.

Open the Endpoints panel and copy the OpenID Connect metadata document URL

Tip: Opening the metadata document in your browser is the easiest way to confirm every endpoint URL before pasting them into JumpServer.

Step 5: Create a Client Secret

In the left navigation pane, go to Certificates & secrets. Open the Client secrets tab and click + New client secret.

  1. Enter a description (for example, jumpserver).
  2. Choose an expiration period (Microsoft recommends rotating secrets before they expire; 24 months is a common choice).
  3. Click Add.

Create a new client secret for the JumpServer app registration

Azure displays the secret Value only once. Copy it immediately and store it in a secure location — you cannot retrieve it later.

Copy the client secret value immediately after creation

Part 2: Configure JumpServer

With Entra ID configured, switch to the JumpServer administration console.

Step 6: Enable OIDC Authentication

  1. Click the Settings (gear) icon in the top-right corner.
  2. In the left sidebar, select Authentication.
  3. Open the Integration tab.
  4. Under SSO, toggle OIDC to ON.

Enable OIDC in JumpServer System settings under Authentication → Integration

Step 7: Configure OIDC Parameters

Open the OIDC tab and fill in the settings below.

Basic Settings

Field Value
OIDC Enabled
Base site URL https://<your-jumpserver-domain>/
Client ID Application (client) ID from Step 3
Client secret Client secret value from Step 5
Request method Client Secret Basic

Server Settings

Fill in the ‘Provider endpoint’ with the value from Step 4, and JumpServer will automatically fill in the other endpoints.

Field Value
Use Keycloak Disabled
Provider endpoint https://login.microsoftonline.com/<tenant-id>/v2.0
Authorization endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
Token endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
JWKS endpoint https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys
Userinfo endpoint https://graph.microsoft.com/oidc/userinfo
End session endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/logout
Signature algorithm HS256

Configure JumpServer OIDC basic and server settings for Azure Entra ID

Token, Session, and User Mapping

Scroll down to configure token behavior and user attribute mapping:

Field Recommended Value
ID token max age (s) 600
ID token include claims Enabled
Use state Enabled
Use nonce Enabled
Always update user Enabled
Share session Enabled

In the User attribute JSON editor, map Azure Entra ID claims to JumpServer user fields:

{
  "name": "name",
  "username": "preferred_username",
  "email": "email"
}

Set Organization to the JumpServer organization where SSO users should be provisioned (typically DEFAULT).

Click Submit to save the configuration.

Configure OIDC token settings, user attribute mapping, and organization in JumpServer

Step 8: Test SSO Login

  1. Log out of JumpServer (or open a private/incognito browser window).
  2. On the JumpServer login page, select the OIDC (or Azure / OpenID Connect) login option.
  3. You are redirected to the Microsoft sign-in page. Authenticate with an Entra ID account that is allowed to access the application.
  4. After successful authentication, Azure redirects back to JumpServer and provisions or updates the user based on your attribute mapping.

If login fails, verify the redirect URI, Client ID, Client Secret, and endpoint URLs match exactly between Entra ID and JumpServer.

Summary

Integrating JumpServer with Microsoft Azure Entra ID via OIDC gives your organization a secure, standards-based SSO experience for privileged access management. The setup involves two main phases:

  1. Azure Entra ID — Register the JumpServer application, configure the redirect URI, create a client secret, and collect OIDC endpoint URLs.
  2. JumpServer — Enable OIDC under Authentication settings, enter the Azure credentials and endpoints, map user attributes, and test login.

Once configured, users can sign in to JumpServer with their corporate Microsoft credentials, simplifying access control while keeping authentication centralized in Entra ID.

Troubleshooting

Symptom Likely Cause Fix
Redirect URI mismatch error Redirect URL in Azure does not match JumpServer Ensure the URI is exactly https://<domain>/core/auth/openid/callback/
Invalid client secret Secret expired or copied incorrectly Create a new client secret in Entra ID and update JumpServer
User not provisioned Attribute mapping incorrect Verify the preferred_username and email claims exist in the ID token
SSL / certificate errors Self-signed or internal CA certificate Install a trusted TLS certificate on JumpServer, or review SSL verification settings

Have questions about JumpServer SSO integrations? Contact the JumpServer team or explore more integration guides on our blog.

Recommended Reading

Just-In-Time Asset Access in JumpServer
News

Just-In-Time Asset Access in JumpServer

In today’s enterprise environment, security and compliance requirements are becoming increasingly strict. Traditional “permanent authorization” models

JumpServer v4.10.14-lts Release Notes
News

JumpServer v4.10.14-lts Release Notes

What’s new JumpServer Client now supports OAuth 2.0 authentication, improving client login compatibility. User operation audit logs can now be exporte

Download Community Free Trial