Get Started: Federated Authentication

This feature is in Beta.

Easily onboard new users that have JumpCloud managed devices by integrating your existing Identity Provider (IdP) with JumpCloud. This will allow your users to securely access their devices by logging in with their IdP credentials.

Prerequisites

  • You need to have Admin with Billing permissions to configure an IdP. 
  • You need to have an existing identity provider managing your users to benefit from federated authentication.

Considerations

  • Federated authentication is in Beta, and is currently limited to only device binding. You need to have either Self Service Account Provisioning, or Automated Device Enrollment for Mac enabled in order to leverage federated device authentication. 
  • Federated IdP authentication doesn’t capture the user’s IdP password. Users will be prompted to create a local passcode (password) on Mac or local PIN on Windows.

Beta Considerations

  • Creating an IdP in JumpCloud will result in all users in the organization authenticating to supported resources (Self Service Account Provisioning and Mac ADE) with this IdP.
  • User self service password reset via IdP login is only available on Windows.
  • Mac devices don’t offer self service password reset yet. 
  • During Beta, User Portal and SSO apps will not support Federated authentication with an IdP.
    • User Portal login is available (unless denied by a policy) with a JumpCloud password. However, this password will not be synced to the user’s device.
    • If an MFA factor is enrolled in User Portal, and MFA is enforced on the device, users will be prompted to log in with a local device password and MFA.
  • Federated Device login doesn’t support the migration of existing local accounts yet. Only new devices, or those with no local account with a username that matches the JumpCloud managed user that is attempting to log in, will be eligible for the Beta.

Workflow

  1. Prepare your IdP to configure with JumpCloud.
    • You will need to add JumpCloud as an application with the appropriate settings enabled to continue setting up Federated Authentication for your org, see Configure Okta as an Identity Provider
  2. Configure your IdP in JumpCloud.
    • Verify that you want to enable Federated Device Authentication for your users’ login.
      • This will require all users to authenticate with their IdP.
  3. Automatically bind users to devices by configuring Self Service Account Provisioning, or Automated Device Enrollment, based on whichever OS you’re provisioning, see Provision New Users on Device Login to learn more
    • Users logging into their device for the first time will use their IdP credentials to sign in. This also creates a local user on the device with a local password or PIN.
    • The JumpCloud account will be automatically bound to the JumpCloud device upon successful user login to the external IdP.

FAQ

Will JumpCloud receive the IdP password?

No. During the federated login flow, JumpCloud does not capture the IdP password.

How does the user log in to their device?

During the local account join, the user will be prompted to set a local passcode (Mac) or PIN (Windows). This is a local passcode to the device, which is not synced to or from JumpCloud.

How does a user on a device reset their local password?
  • Windows: Users have to go back to the Switch User/Login page. Click “Sign in options” and will see a JumpCloud icon. Clicking this icon will bring up the JumpCloud login, where they will enter their email address, and then be redirected to authenticate with their IdP. After completing this authentication, they will be prompted to reset their local PIN.
  • Mac: Admin must create a local account with admin/sudo privileges. Then they can use this account to reset the user’s local passcode.
Should account lockout be configured in JumpCloud?

Account lockout applies to all users in an organization. If all users will authenticate with an IdP, and therefore use a local device credential, the OS lockout mechanisms may be used. In this case, JumpCloud account lockout doesn’t need to be configured. However, even if JumpCloud account lockout is configured, it can be overridden for individual users on devices by navigating to USER MANAGEMENT > Users, clicking a specific user, then under the User Security Settings and Permissions dropdown, select Bypass account lockout policy for user’s managed device.

Can I use the “Windows – Do Not Display Last Username on Logon Screen Policy” with Federation?

Yes, however this will prevent the user self service password reset flow from functioning by obscuring the Self Service Account Provisioning option.

What happens when a Windows user attempts to enter a password as opposed to their PIN or biometric for login?

The user will not know their local account device password unless they explicitly set it after login with PIN or biometric. This will result in denied logins, and could lead to lockouts by the OS or on the JumpCloud account, if configured.

Do the JumpCloud Password Settings apply to the local device account password or PIN?
  • Windows: No. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).
  • Mac: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.
Can the Admin Portal be used to bind and unbind accounts to devices?

No. Federated account provisioning is only enabled by Self Service Account Provisioning and Mac ADE. These low to zero touch enrollment flows will result in users with local device passwords. Manual binds will NOT result in local passwords on the device. Unbinding the account will deactivate the local account, and the account must be manually reactivated on the device to enable login. However, at this point the account may not be rebound to the device as a local password account.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case