Log in to an existing JumpCloud Organization Using JumpCloud as an Identity Provider

Admins may have a case where they need certain users to access two separate JumpCloud accounts in order to access different resources. You can allow a user to log in with the same account and credentials in both JumpCloud organizations. You’ll have to create JumpCloud as an Identity Provider, and configure a handful of other things to enable this correctly. 

Prerequisites:

• You need to have two separate JumpCloud orgs.
  • This can be applied to both individual admin orgs and MSP tenant orgs.

Considerations:

• For the purpose of this help article, the two organizations being mapped to each other are referred to as Primary org and Secondary org. 
• If you are a federated user that doesn’t need to access a secondary org all the time, you can still log in to your primary orgs admin portal using your primary orgs credentials.

Workflow:

1. Create a custom attribute for the user within the Primary org. 
2. Create a user in the Secondary org. 
3. Create User Groups for both the Identity Provider (IdP) and the OIDC app.
4. Create an OIDC app in the Primary org.
5. Create an IdP in the Secondary org.
6. Create a Routing Policy for the IdP in the Secondary org.
7. Log in to the JumpCloud User Portal.

Creating a Custom Attribute for the User Within the Primary Org

To create a custom attribute in the Primary org:

1. Log in to the Primary orgs JumpCloud admin portal.
2. Go to USER MANAGEMENT > Users.
3. Click on the user you want to create a custom attribute for.

4. Under Custom Attributes, you will map the user in this Primary org to a corresponding user in the Secondary org.
5. For Attribute Name, this can be any name within the Primary org (ex: SecondaryEmail).
   • It doesn’t matter what this attribute is called, as long as it’s named the same thing in the Secondary org for the mapping in the OIDC app. 
6. For Attribute Value, copy the Company Email from above and add the alias that the user will be logging in with to the end of it.
   • For example: [email protected]
7. Copy the Attribute Value to your clipboard, because you’ll need it again shortly. 
8. Click save user. 

Now, you’ll have to create a corresponding user in the Secondary org.

Creating a Corresponding User in the Secondary Organization

To create a user in the Secondary org:

1. Log in to the Secondary orgs admin portal.
2. Go to USER MANAGEMENT > Users.
3. Click the green ( + ) to add a new user. 
4. Under Details > User Information, enter the required Username and then copy paste the Attribute Value that you copied to your clipboard from the previous org into the Company Email field. 
5. Under Custom Attributes, you will map the user in the Primary org to this Secondary org. Enter the Attribute Name and then paste the Company Email in the Attribute Value field. 
6. Click save user. 

Now there are corresponding users in each org.

Creating a User Group in the Secondary Organization

To create a user group in the Secondary org:

1. From the Secondary orgs admin portal, go to USER MANAGEMENT > User Groups.
2. Click the green ( + ) to add a new User Group. 
3. Under Details > Group Configuration, enter a Name for the user group.
   • For example: Federated Users to the Primary Org

4. Under Membership Controls, select Dynamic then click the Attribute dropdown and select Company Email. 
5. Click the Operator dropdown and select ends with. 
6. Under the Value field, enter the email value that you want the user group to include. Anyone with this email value in their email address will be included in this user group.

7. Click save. See Configure Dynamic User Groups to learn more.

Creating an OIDC Application in the Primary Organization

1. From the Primary orgs admin portal, go to USER AUTHENTICATION > SSO Applications.
2. Click Get Started, or + Add New Application if you’ve already configured an SSO app in the past.
3. Under Custom Application, click select.
4. Next, select the features you would like to enable, click Manage Single Sign-On (SSO), then select Configure SSO with OIDC. 
5. Click Next. 
6. Under Enter general info > Display Label, enter a name for the app.
   • For example: OIDC for Secondary Org 
7. Under Show in User Portal, uncheck the Show this application in User Portal option. 
8. Click Next.
9. On the next page, confirm the details, then click Configure Application. 
10. On the New Application page, under the SSO tab, you need to paste the following URL in the Redirect URIs field: https://login.jumpcloud.com/oauth/callback
11. Keep the Client Authentication Type as the default selection of Client Secret Post. 
12. Under Login URL, enter https://console.jumpcloud.com
13. Under Attribute Mapping > USER ATTRIBUTE MAPPING, click Add Attribute. 
14. Enter an “email” in the  Service Provider Attribute Name, this is going to be the email address of the user in the Secondary org. 
15. Under JumpCloud Attribute Name, enter the name of the custom attribute that you entered for the user in the steps above. 

16. Click activate. 
17. You’ll receive an Application Saved modal with very important information on it. Click Copy next to Client ID and Client Secret and save them somewhere secure, like a password manager. See JumpCloud Password Manager for Admins to learn more.  
18. Then, click Got It. You will need to enter these when configuring the IdP in the Secondary org. 
19. From the Configured Applications page, click on the app, then click the User Groups tab. 
20. Select the user group that you just created in the previous section, then click save.

Creating JumpCloud as an IdP in the Secondary Organization via the API

To create JumpCloud as an IdP:

1. Now, in another tab, go to  your preferred API client, like Postman.
2. The following API call is an example, adapt the code for your preferred API client:

3. Click Send.

Adding JumpCloud as an IdP in the Secondary Organization

To add JumpCloud as an IdP:

1. From the Secondary orgs admin portal, go to DIRECTORY INTEGRATIONS > Identity Providers. 
2. Refresh the page, and you will be redirected to the configured OIDC Primary JumpCloud Org that you set up in the section above.

Add a Routing Policy from the Secondary Organization to the Primary Organization

To add a routing policy:

1. From the Secondary orgs OIDC Identity Provider Configuration page, under Authentication, click + Routing Policy.
2. Under General Info, enter a Policy Name. The Description is optional. 
3. Under Assignment > User Groups, select the Federated Users to the Primary Org user group that you created in the Secondary org. 
4. Under Identity Provider Routing, make sure the User Authentication With is set to Primary JumpCloud Org. 
5. Click Create. You’ll receive a confirmation that the routing policy was created. 
6. Now, the routing policy will require anyone in that user group to authenticate with the Primary JumpCloud Org as an IdP.

Set the User’s Password Authority as Federated

To set the user as federated:

1. From the Secondary orgs admin portal, go to USER MANAGEMENT > Users. 
2. Click on the federated user, then click the Details tab. 
3. Under Security Settings and Permissions, click the Password Authority dropdown and select Federated Identity Provider. 
4. Click save user. 
5. This will update the user’s Password Status on the Users list page. It will say, Federated Managed by External IdP. Now, the user won’t be able to change their own password.

Logging in to the JumpCloud User Portal using another JumpCloud org as an IdP

To log in to your Secondary org using your Primary org as an IdP:

1. Make sure you are logged out of any JumpCloud User Portal sessions
2. From the JumpCloud User Login page, enter the user’s Email for the Secondary org.
3. Click Continue. 
4. You’ll be redirected to the Primary orgs Log in to your application using JumpCloud page. 

5. Click Continue.
6. Enter the Password for the Primary org, then click SSO Login. 
7. You’ll be logged in to the JumpCloud user portal for the Secondary org. 

Now, you have federated users in the Secondary org that can login in with their Primary account.