Get Started: Federated Authentication

Easily onboard new users that have JumpCloud managed devices by integrating your existing Identity Provider (IdP) with JumpCloud. This allows your users to securely access their devices by logging in with their IdP credentials.

Prerequisites

  • You need to have JumpCloud set up as an OIDC app in your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation to learn more:
  • You need to have Admin with Billing permissions to configure an IdP. 
  • You need to have an existing IdP managing your users to benefit from federated authentication.
  • All JumpCloud users must have unique company email addresses, and the email of the JumpCloud user and external IdP email used for Federation have to match. 

Considerations

  • Federated IdP authentication doesn’t capture the user’s IdP password. If Device Password Sync is set to NO, then users will be prompted to create a local passcode (password) on Mac or local PIN on Windows. If Device Password Sync is set to Yes, then JumpCloud will sync the JumpCloud password to the device and set it for the user account on the device.
  • Federation does not currently support authenticating with JumpCloud Go. 
  • Federation does not currently support JumpCloud Multi-Factor Authentication (MFA) for users in addition to external IdP authentication. However, MFA may be applied at the IdP.
  • Features like device provisioning and local self service password reset is currently not supported on Linux.

Externally Managed Passwords

Externally managed passwords prevent password changes within JumpCloud, both by users and admins. When users are set to Password Externally Managed, they will no longer receive password expiration notifications and password expirations will no longer apply to them.

Use this setting when a user’s password is being managed by an upstream integration or when they’re authenticating with an external identity provider (IdP).

Note: Once this setting is enabled, users will not be able to change their own password from their JumpCloud device tray application, User Portal, or any other password reset flow. Additionally, admins won’t be able to set user passwords from the Admin Portal.

Workflow

  1. Prepare your IdP to configure with JumpCloud.
  2. Configure your IdP in JumpCloud.
    • Verify that you want to enable Federated Device Authentication for your users’ login.
      • This will require all users to authenticate with their IdP.
  3. Automatically bind users to devices by configuring Self Service Account Provisioning, or Automated Device Enrollment, based on whichever OS you’re provisioning, see Provision New Users on Device Login to learn more
    • Users logging into their device for the first time will use their IdP credentials to sign in. This also creates a local user on the device.
    • By default, any new users that are associated with the device will automatically have their JumpCloud password synced to their device password. You can disable this so that any new user to device associations will not have their JumpCloud password synced to their device. Instead, the user will enter a local password to log into their device. See Device Password Sync to learn more.
    • The JumpCloud account will be automatically bound to the JumpCloud device upon successful user login to the external IdP.
  4. Optionally, restrict your user's password in JumpCloud.
    • Users won’t be able to set or update a password in JumpCloud. Users won’t receive any password related communication or emails.
    • Admins won’t be able to set or update a user’s password in JumpCloud either. 
    • Passwords can continue being synced from any SCIM or REST integration for this user.

Device Management Deployment Scenarios

Scenario 1: Device Management with an External IdP

Identity management is kept in your existing IdP. Identities are synced into JumpCloud for the purpose of IdP login. New users will set up and maintain a local passcode on their device. Existing users will maintain their existing passwords after they become managed by JumpCloud. If the user forgets this passcode, it may be reset with an external IdP login. The passcode is stored locally on the device, reducing the risk of compromise and allowing for offline authentication. The user can log in to any web-based resources (like JumpCloud’s User Portal, SSO apps, local account provisioning flows, etc.) with their IdP login.

  1. User identities live, and are managed in an existing, external IdP like Azure AD, Google Workspace, or Okta.
  2. Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.
  3. Once the users are synced, and are logging into their device for the first time, they’ll be redirected to authenticate to the external IdP via JumpCloud federation.
  4. The local user account will then be created on the device, and become managed by JumpCloud. 
  5. The user will create a local passcode to access their device. This passcode can be reset from the login window by authenticating through the external IdP.

Device password: Local credentials

Zero Trust Controls: IdP

MFA: IdP

Scenario 2: Device Management with IdP Password Sync

Identity management is kept within your existing IdP. Identities are synced into JumpCloud for the purpose of IdP login. Passwords are also synced from your IdP into JumpCloud outside of the OIDC IdP login flow (which doesn’t capture the password). This password is synced to the user’s device, resulting in the IdP password, and the device password being in sync. Optionally, an IdP object can be configured allowing users to log in with their IdP credentials for web-based logins. 

  1. User identities live, and are managed in an existing, external IdP like Okta. 
  2. Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration. 
  3. Once the users are synced, and are logging into their device for the first time, they’ll be redirected to authenticate to the external IdP via JumpCloud federation. 
  4. The local user account will then be created on the device, and become managed by JumpCloud. 
  5. The user’s password is managed by the external IdP, and then synced to the JumpCloud account. 
  6. User password changes, and resets have to be done in the IdP.

Device password: IdP

Zero Trust Controls: IdP

MFA: IdP

Scenario 3: Device Management with JumpCloud Password Sync and External IdP Login

In this scenario, identity management is kept within your existing IdP. Identities are synced to JumpCloud for the purpose of IdP login. Users are also associated to a Cloud Directory integration. This enables JumpCloud to own the password, but your IdP to own the identity. Users can change their password from their device, allowing the password to be synced to JumpCloud, and to their IdP. The user will log in with their IdP for web-based logins with the password that’s managed by JumpCloud. Any Zero Trust, MFA, etc. controls will be enforced at the IdP login.

  1. User identities live, and are managed in an existing, external IdP like Azure AD, or Google Workspace. 
  2. Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration. 
  3. Once the users are synced, and are logging into their device for the first time, they’ll be redirected to authenticate to the external IdP via JumpCloud federation. 
  4. The local user account will then be created on the device, and become managed by JumpCloud. 
  5. The user’s password is managed by JumpCloud, or on the device itself, and then synced to the IdP.

Device password: JumpCloud

Zero Trust Controls: IdP

MFA: IdP

FAQ

Will JumpCloud receive the IdP password?

No. During the federated login flow, JumpCloud does not capture the IdP password.

How does the user log in to their device?
  • Admins need to decide whether they want their users device passwords synced or not.
  • If password sync is set to No, then during the local account join, the user will be prompted to set a local passcode (Mac) or PIN (Windows). This is a local passcode to the device, which is not synced to or from JumpCloud.
What JumpCloud resources support Federated Authentication?

Any resource that supports browser-based logins: User Portal, SSO apps, Self Service Account Provisioning, Mac ADE, and local password resets.

What JumpCloud resources do not support Federated Authentication?

Any resource that does not support browser-based logins: LDAP and RADIUS

How does a user on a device reset their local password when Password Sync is set to No?
Should account lockout be configured in JumpCloud?

Account lockout applies to all users in an organization. If all users will authenticate with an IdP, and therefore use a local device credential, the OS lockout mechanisms may be used. In this case, JumpCloud account lockout doesn’t need to be configured. However, even if JumpCloud account lockout is configured, it can be overridden for individual users on devices by navigating to USER MANAGEMENT > Users, clicking a specific user, then under the User Security Settings and Permissions dropdown, select Bypass account lockout policy for user’s managed device.

Can I configure Federation so that only some of the users in my organization authenticate with an IdP, while some authenticate with JumpCloud?

Yes. You can create a routing policy to have specific groups of users required to authenticate through their IdP. See Routing Policies for Identity Providers to learn more.

Can I use the “Windows – Do Not Display Last Username on Logon Screen Policy” with Federation?

Yes, however this will prevent the user self service password reset flow from functioning by obscuring the Self Service Account Provisioning option.

What happens when a Windows user attempts to enter a password as opposed to their PIN or biometric for login?

The user will not know their local account device password unless they explicitly set it after login with PIN or biometric. This will result in denied logins, and could lead to lockouts by the OS or on the JumpCloud account, if configured.

Do the JumpCloud Password Settings apply to the local device account password or PIN?
  • Windows: No. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).
  • Mac: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.
Can the Admin Portal be used to bind and unbind accounts to devices?

Yes, accounts can be manually bound to devices in the Admin Portal. Use the Password Sync dropdown to determine if the user's JumpCloud password will be synced to the device or not. For Federated accounts where the user logs into the device with a local password or PIN, set Password Sync to No.
Learn More

I configured an Identity Provider, and now I’m seeing errors when logging into the User Portal. How do I fix this?

This could be caused by an issue with the configuration for the Identity Provider on the JumpCloud side or on the OIDC Client App on the Identity Provider side. Check the details of your configuration, and make sure your client ID and secret are correct. It may be necessary to regenerate a new secret in your IdP and try the configuration again if the problem keeps happening.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case