By Greg Keller Posted February 16, 2015
Note: The documentation below is from 2015 and is no longer up-to-date. Visit the JumpCloud Knowledge Base and our article on configuring Okta for use with our LDAP-as-a-Service.
Integrating Okta with JumpCloud’s LDAP Service
Okta’s single sign-on service provides companies with the capability to provide a unified set of credentials to leading SaaS- applications. The product provides the ability to consume identity from master directories such as LDAP or Microsoft’s Active Directory®. In this brief article, we’ll show you the simple step-by-step instructions to integrate Okta via OpenLDAP to JumpCloud’s Directory-as-a-Service.
Initial set-up: Preparing JumpCloud as the LDAP directory
Before Okta can be integrated with JumpCloud to access the user identities managed in its cloud-based directory, the following steps need to be completed to ensure Okta can communicate effectively via ldapsearch.
1) Create an LDAP Service User Account
When utilizing LDAP, JumpCloud recommends the use of a binding user service account. To create this user:
- Go to Users and ‘Add User’
- Fill in the properties of this service account in the manner you wish. An example is below.
- Most critically, ensure ‘LDAP binding user service account’ is enabled.
With the LDAP Service Account User Created, it’s time to configure Okta to communicate with JumpCloud’s directory.
2) Configuring Okta’s LDAP directory integration.
Please follow the steps below to integrate Okta with JumpCloud’s LDAP Service.
Installing the Okta LDAP Agent
- After logging in to Okta, proceed to the ‘People’ menu and select ‘Directories’:
- Select ‘Add Directory’ and choose ‘Add LDAP Directory’
- From this screen you will be required to install an Agent on a Windows Server 2003 or higher instance. This agent will traffic HTTPS requests to authenticate and provision users between JumpCloud (via LDAP) and Okta.
- The Agent (installable on Linux or Windows) will be pointed at the customer’s JumpCloud directory via our hosted LDAP Service. The configurations on the initial set up should be as follows
- LDAP Server URL as ldap://ldap.jumpcloud.com:389
- Root DN is the Base DN: ou=Users,o=<YOUR ORG ID>,dc=jumpcloud,dc=com
- Bind DN: uid=<YOUR LDAP USER>,ou=Users,o=<YOUR ORG ID>,dc=jumpcloud,dc=com
- Bind Password: The password of your LDAP User above.
Configure LDAP Mappings
With the agent installed and ‘active’, Okta will then require specific mappings to the JumpCloud LDAP service. This is found in the Okta dashboard itself. These settings should be done as follows:
Version: Select OpenLDAP
- Unique Identifier Attribute: uid
- DN Attribute: dn
- Object Class: inetorgperson
- Account Lock Attribute: pwdlockout
- Account Lock Value: true
- Password Attribute: userpassword
- Password Expiration Attribute: Can be left blank in this example
Extra User Attributes
- Can be left blank
- Object Class: groupOfNames
- Member Attribute: member
- User Attribute: memberOf
- Object Class: groupOfNames
- Membership Attribute: member
Search Base (Note that YOUR ORG ID is found in the Settings UI per step (1) above).
- User Search Base: ou=Users,o=<YOUR ORG ID>,dc=jumpcloud,dc=com
- Group Search Base: ou=Users,o=<YOUR ORG ID>,dc=jumpcloud,dc=com
Now, before ‘validating configuration’, proceed to the Import Settings (left nav) and select ’email address’ as the Okta username format as follows:
With the username format now saved, you may return to LDAP Configuration (left nav) and proceed to Validate Configuration:
- Input the username (e.g., ldapuser as in the example above) and Test Configuration.
3) Authenticating and Provisioning Users to the Okta service from JumpCloud’s LDAP directory.
Once JumpCloud and Okta have been integrated, note that users from JumpCloud’s LDAP directory will not initially be inserted into Okta’s own directory. This is by Okta’s design and part of their ‘just in time’ provisioning method. To provision a JumpCloud user to the Okta Directory:
- Provide the user with the Okta login information and URL…e.g. https://YOUR-DOMAIN.okta.com/
- The user inputs their user name and password
- The user walks through the Okta user activation flow.
- With c) completed above, the Okta Administrator will begin to see ‘Activated’ users appear in the ‘People Assigned LDAP’ interface as seen here:
Integrating Okta and JumpCloud via LDAP is easy! If you have any questions during the process, feel free to communicate with JumpCloud’s support team who will be glad to walk you through the integration steps.