Integrate an existing Identity Provider (IdP) with JumpCloud to allow users to securely authenticate using their IdP credentials to gain access to their managed resources.
Prerequisites
- You need to have Admin with Billing permissions to configure an IdP.
- You need to have a valid Okta account with admin permissions.
- All JumpCloud users must have unique company email addresses, and the email of the JumpCloud user and external IdP email used for Federation must match.
Considerations
- Federated authentication will be applied to only specific user groups. See Routing Policies for Identity Providers to learn more.
- Creating the IdP won't automatically result in users logging in with that IdP.
- User Portal access will be available with a federated login. If you don't want User Portal access, you can create a policy to deny this, see Get Started: Conditional Access Policies.
- If Password Sync is disabled on the Okta SCIM provisioning connector, Okta will still send JumpCloud a random value for the password. This will result in the User’s password status to show as “Active”.
Preparing your IdP to Configure with JumpCloud
To prepare your connection:
- Log in to your Okta account.
- In the left navigation menu, click Applications > Applications.
- Click Create App Integration, then in the next modal, for Sign-in method, select OIDC - OpenID Connect.
- For Application type, select Web Application > Next.
- On the next page, for App integration name, enter a name associated with JumpCloud.
- For Grant type > leave the default selection.
- Under Sign-in redirect URIs, there is a link populated by default that needs to be replaced with this link:
https://login.jumpcloud.com/oauth/callback
- For Sign-out redirect URIs, click the ‘X’ next to the link to clear it.
- Under Assignments, select Allow everyone in your organization to access, unless you only want this applicable to certain groups, in which case select Limit access to selected groups and then enter the groups you want and click Save.
- If you Allow everyone in your org to access, another option will appear under Enable immediate access (Recommended). Select Enable immediate access with Federation Broker Mode to require users to authenticate through JumpCloud.
- Click Save.
- On the next page, you can manage your app.
Now you have a connection to JumpCloud in Okta. Next, you’ll want to configure the connection in JumpCloud.
Configuring Okta as an IdP in JumpCloud
To configure Okta:
- Log in to your JumpCloud Admin Portal.
- Click DIRECTORY INTEGRATIONS > Identity Providers.
- Click the Add Identity Provider dropdown menu, and select Okta.
- Enter an Identity Provider Name* as a display name (i.e. Okta IdP).
- Next, you’ll need to copy/paste the following information from your Okta account into the required fields in JumpCloud:
- Okta IdP URL*
- From your Okta account, click your email in the top right corner, under your name and Okta email address, there is a URL with .okta.com at the end. This is your Okta IdP URL.
- Note: “.well-known/openid-configuration” will be appended to the end of your Okta tenant URL, allowing for JumpCloud to obtain all the relevant OIDC endpoints from the hosted file.
- Client ID*
- Click Application > General, then under Client Credentials is where your Client ID lives.
- Client Secret*
- Under CLIENT SECRETS is where you can copy your current Client Secret, or Generate new secret.
- Okta IdP URL*
- Click Save. You’ll be prompted to verify that you want to enable Federated Device Authentication for your users’ login. Select I understand the impacts above, then click Yes, Continue.
Managing the IdP
To manage the IdP:
- From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
- You can update the name, Okta IdP URL, Client ID, and Client Secret.
- Under Authentication, you’ll see that Federation is applied to your users, allowing them to authenticate with an IdP.
- Under Device Account Provisioning, you can configure either Self Service Account Provisioning or Automated Device Enrollment for whichever OS you’re provisioning. The Status displays either Enabled or Disabled accordingly, click Configure to edit.
See Provision New Users on Device Login and Automated Device Enrollment to learn more.
Deleting the IdP
To delete the IdP:
- From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
- At the bottom of the IdP Configuration page, under Delete Identity Provider, click Delete IdP.
- You’ll be prompted to confirm your deletion, then click Yes, Delete.
Additional Resources:
Walk through a guided simulation for Configuring Okta as an Identity Provider
Back to Top