Delegated Authentication uses an external source, like AD, to verify a user\u2019s password. Delegated authentication is different from federated user authentication in 2 key ways:<\/p>\n\n\n\n
- \n
- JumpCloud is the Identity Provider (IdP). The external source is used for password validation only. <\/li>\n\n\n\n
- The user is not redirected to the external source. Instead, they remain in the JumpCloud login flow and the verification is happening behind the scenes.<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/Snag_112d8c7.png\")
<\/figure>\n\n\n\nWhy Delegate User Authentication to AD?<\/strong><\/p>\n\n\n\n
There are several use cases for which delegated user authentication is required or preferred:<\/p>\n\n\n\n
- \n
- Easier integration deployment<\/strong> – Install the import agent on a small number of member servers not on all domain controllers (DCs) while still keeping and managing passwords in AD only<\/li>\n\n\n\n
- Compliance<\/strong> – Keep the password behind the AD firewall and still extend AD to the cloud using JumpCloud.<\/li>\n\n\n\n
- Seamless onboarding of existing users to the Cloud<\/strong> – End users log in to JumpCloud for the first time using their existing corporate email address and AD password.\u00a0No need to reset passwords<\/li>\n\n\n\n
- SSO without ADFS<\/strong> – Allow users to use a single secure identity to access their on-premise and Cloud resources without having to use Active Directory Federation Services (ADFS)<\/li>\n<\/ul>\n\n\n\n
Important Considerations<\/strong><\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \nWhen upgrading from AD import agent v2.6.0 or lower, you must select Install New Agent<\/strong> from the Downloads dropdown menu in the ADI Details page to get the connect key, which is required to complete the upgrade of the agent on the AD server.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Delegated authentication to AD is supported by JumpCloud AD import agent v3.0 and higher and is supported when the import agent is installed on all AD Domain Controllers (DCs) or on AD member server(s)<\/li>\n\n\n\n
- To use delegated authentication to AD, the primary import agent must be version\u00a0v3.0 or higher and the status of the ADI delegated authentication setting, Delegate Password Validation<\/strong>, must be enabled and active<\/li>\n<\/ul>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nAll installed import agents should be the same version to avoid unexpected behavior or the potential for users not being able to log in if the primary agent is switched.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nWhen upgrading the AD import agent to version 3.0, existing users connected to the domain will not have their log in delegated to AD unless the Delegated Authority<\/strong> is manually set to Active Directory<\/strong> for those existing users.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- User portal and SSO logins are delegated to AD when the following are true:\n
- \n
- The delegated authentication setting, Delegate Password Validation<\/strong>, is enabled and active for the ADI configuration<\/li>\n\n\n\n
- User has access to the delegation-enabled AD domain, and their Delegated Authority<\/strong> is set to Active Directory on their user record<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>Warning:<\/strong> \n- \n
- Users will NOT<\/strong> be able to log in if their Delegated Authority<\/strong> is Active Directory and the status of the delegated authentication setting, Delegate Password Validation<\/strong>, is pending or disabled in the ADI configuration, all import agent(s) have been deleted, or the ADI integration has been deleted.<\/li>\n<\/ul>\n\n\n\n
- \n
- Users will NOT<\/strong> be able to log in to the JumpCloud User Portal or SSO apps if they are connected (bound) to multiple delegation-enabled AD domains.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Device password reset flow is delegated to AD when the following are true:\n
- \n
- The device is managed by JumpCloud<\/li>\n\n\n\n
- The delegated authentication setting, Delegate Password Validation<\/strong>, <\/strong>is enabled and active for the ADI configuration<\/li>\n\n\n\n
- User has access to the delegation-enabled AD domain, and their Delegated Authority<\/strong> is set to Active Directory on their user record<\/li>\n\n\n\n
- Self-Service Account Provisioning<\/strong> is enabled and Default Password Sync<\/strong> is disabled in Devices > Settings<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nOn devices, with the configuration above, only the password used during the password reset flow is delegated to AD for validation. The user must set and use a local password or PIN for device logins. Their device login credentials will be managed separately.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Existing AD users imported from AD to JumpCloud no longer have to reset their password in AD to log in to JumpCloud managed resources when delegation is enabled for them<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- If the import agent is installed on DCs<\/strong>, the password is stored<\/strong> in JumpCloud after the initial log in. The stored password continues to be synced from AD to JumpCloud and from JumpCloud to other resources. The password can be used to log in to resources that don\u2019t support delegated authentication to AD, such as Cloud RADIUS, Cloud LDAP, and devices.<\/li>\n<\/ul>\n\n\n\n
- \n
- If the import agent is installed on AD member servers<\/strong>, the password is never stored <\/strong>in JumpCloud.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Cloud RADIUS and Cloud LDAP resource log ins cannot be delegated to AD.\u00a0A user must have a password in JumpCloud to be able to access these resources<\/li>\n\n\n\n
- The delegated authentication setting, Delegated Password Validation<\/strong>, is enabled by default for the Manage users and passwords in Active Directory<\/strong> ADI configuration and cannot be disabled<\/li>\n\n\n\n
- The delegated authentication setting, Delegated Password Validation<\/strong>, is disabled by default but can be enabled for the Manage users and passwords in JumpCloud, AD or both<\/strong> configuration<\/li>\n\n\n\n
- When the JumpCloud AD import agent is installed on DCs, the AD passwords sync to JumpCloud. This means that the password will be saved in both AD and JumpCloud.\u00a0This applies to both ADI configurations: Manage users and passwords in Active Directory <\/strong>and Manage users and passwords in JumpCloud, AD or both<\/strong><\/li>\n\n\n\n
- When the JumpCloud AD import agent is installed on member servers, the AD password does not sync to JumpCloud. \n
- \n
- In the Manage users and passwords in Active Directory<\/strong> configuration, this means the password will only be in AD. In this configuration, the user’s Password Authority<\/strong> should also be set to Active Directory<\/strong> to prevent a password from being entered in JumpCloud by either a JumpCloud Admin or the end user<\/li>\n\n\n\n
- In the Manage users and passwords in JumpCloud, AD or both<\/strong><\/strong> configuration, this means users imported from AD will not have their AD password stored on their initial login to JumpCloud nor will the password sync from AD to JumpCloud. Any user connected to a delegation-enabled AD domain, ones created in AD and ones created in JumpCloud, with their Password Authority<\/strong> set to None (JumpCloud)<\/strong> can have a password set and managed in JumpCloud, and their password will be synced from JumpCloud to AD. This configuration is used when user passwords are managed in JumpCloud<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Avoid users not being able to log in to JumpCloud managed resources when changing the delegated authentication settings<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nDo the following before disabling the ADI delegated authentication setting, Delegate Password Validation<\/strong>, or disconnecting a user from a delegation-enabled AD domain in the JumpCloud Admin Portal:<\/p>\n\n\n\n
- \n
- Verify the user’s Password Authority<\/strong> is set to None (JumpCloud)<\/strong><\/li>\n\n\n\n
- Either send the user an activation email or set a password for the user from the user record in admin portal<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- A warning modal is shown with options to either automatically update the Delegated Authority<\/strong> for every connected (bound) user or not when the following actions are taken:\n
- \n
- on save after delegated authentication is enabled or disabled in the ADI configuration<\/li>\n\n\n\n
- an ADI AD domain is deleted<\/li>\n\n\n\n
- a user is directly connected to (bound) or disconnected from (unbound) a delegation-enabled AD domain<\/li>\n\n\n\n
- a user is connected to (bound) or disconnected from (unbound) a user group connected (bound) to a delegation-enabled AD domain<\/li>\n\n\n\n
- when a user group is connected (bound) or disconnected (unbound) from a delegation-enabled AD domain.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- The Delegated Authority<\/strong> can be updated for multiple users at once from the Users page<\/li>\n\n\n\n
- A user login to the User Portal and for SSO is always delegated to AD, even if they have a password in JumpCloud, as long as all of following criterion are true:\n
- \n
- their Delegated Authority<\/strong> is set to Active Directory<\/strong><\/li>\n\n\n\n
- they are connected to a delegation-enabled AD domain<\/li>\n\n\n\n
- the status of the ADI delegated authentication setting, Delegate Password Validation<\/strong>, in enabled and active for the AD domain<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Delegated authentication can be enabled or disabled on a per user basis from the user details page even if they are not connected to a delegation-enabled AD domain<\/li>\n\n\n\n
- If an import agent is paused, delegated authentication will still occur. Only the import from AD to JC will be paused<\/li>\n<\/ul>\n\n\n\n
Configuration Steps Overview<\/strong><\/h2>\n\n\n\n
To configure delegated authentication to AD, the main steps you will take are outlined below:<\/p>\n\n\n\n
- \n
- Select your ADI deployment configuration:\n
- \n
- Manage users, security groups, and passwords in AD<\/a>, or <\/li>\n\n\n\n
- Manage users, groups and passwords in AD, JumpCloud, or both<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- If not already selected, check the option for Delegated Password Validation<\/strong>.<\/li>\n\n\n\n
- Download and install the latest JumpCloud AD Import Agent<\/strong> from the JumpCloud Admin Portal.<\/li>\n\n\n\n
- Give users access to ADI.<\/li>\n<\/ol>\n\n\n\n
Enable Delegated Authentication for a New AD Domain<\/strong><\/h2>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nThe setting for delegated authentication on the ADI configuration is labeled Delegated Password Validation<\/strong>. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To enable delegated authentication for the Manage users and passwords in Active Directory configuration<\/strong><\/h3>\n\n\n\n
- \n
- No action is required.\n
- \n
- Delegated Password Validation<\/strong> is enabled by default for this configuration and cannot be disabled<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
All new users imported from AD to JumpCloud will automatically have their Delegated Authority<\/strong> set to Active Directory.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nUsers imported prior to the release of Import Agent v3.0 will continue to use the password stored in JumpCloud, unless the Delegated Authority<\/strong> is manually set to Active Directory. If the import agent is installed on a DC, the password will continue to sync to JumpCloud.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To enable delegated authentication for the Manage users and passwords in JumpCloud, AD or both configuration<\/strong><\/h3>\n\n\n\n
- \n
- When creating a new AD domain<\/a> in the JumpCloud Admin Portal<\/a>:\n
- \n
- Check Delegated Password Validation<\/strong> checkbox in the Configuration Summary<\/strong> section of the Setup step
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/New-ADI-domain_2Way-Step3_DelegationEnabled_Focus.png\")
<\/li>\n\n\n\n- Download and install the Import and Sync agents<\/li>\n\n\n\n
- Click Configure ADI<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- When updating the configuration for an existing AD domain in the JumpCloud Admin Portal<\/a>:\n
- \n
- Go to Directory Integrations > Active Directory<\/strong><\/li>\n\n\n\n
- Click the domain to which you want to enable delegated password validation<\/li>\n\n\n\n
- Check Delegated Password Validation<\/strong> checkbox in the Integration Details<\/strong> section
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/08\/ADI-Config-2way-Integration-Details_Partial_DelegationFocus.png\")
<\/li>\n\n\n\n- Make other configuration changes, if needed<\/li>\n\n\n\n
- Click Save<\/strong><\/li>\n\n\n\n
- Review the confirmation message:
<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Select the update option.<\/li>\n\n\n\n
- Click Continue<\/strong>.<\/li>\n\n\n\n
- When adding an ADI for a new AD domain<\/a> using the JumpCloud v2 API:<\/li>\n<\/ol>\n\n\n\n
\ncurl –request POST \\
–url https:\/\/console.jumpcloud.com\/api\/v2\/activedirectories \\
–header ‘content-type: application\/json’ \\
–header ‘x-api-key: REPLACE_KEY_VALUE’ \\
–header ‘x-org-id: REPLACE_ORG_VALUE’ \\
–data ‘{“delegationState”:”ENABLED”,”domain”:”string”,”groupsEnabled”:true,”useCase”:”TWOWAYSYNC”}’<\/p>\n<\/div><\/div>\n\n\n\n
- Check Delegated Password Validation<\/strong> checkbox in the Configuration Summary<\/strong> section of the Setup step
- When creating a new AD domain<\/a> in the JumpCloud Admin Portal<\/a>:\n
- Delegated Password Validation<\/strong> is enabled by default for this configuration and cannot be disabled<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Manage users, groups and passwords in AD, JumpCloud, or both<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Manage users, security groups, and passwords in AD<\/a>, or <\/li>\n\n\n\n
- A user login to the User Portal and for SSO is always delegated to AD, even if they have a password in JumpCloud, as long as all of following criterion are true:\n
- Either send the user an activation email or set a password for the user from the user record in admin portal<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- In the Manage users and passwords in JumpCloud, AD or both<\/strong><\/strong> configuration, this means users imported from AD will not have their AD password stored on their initial login to JumpCloud nor will the password sync from AD to JumpCloud. Any user connected to a delegation-enabled AD domain, ones created in AD and ones created in JumpCloud, with their Password Authority<\/strong> set to None (JumpCloud)<\/strong> can have a password set and managed in JumpCloud, and their password will be synced from JumpCloud to AD. This configuration is used when user passwords are managed in JumpCloud<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- The delegated authentication setting, Delegated Password Validation<\/strong>, is disabled by default but can be enabled for the Manage users and passwords in JumpCloud, AD or both<\/strong> configuration<\/li>\n\n\n\n
- If the import agent is installed on AD member servers<\/strong>, the password is never stored <\/strong>in JumpCloud.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- If the import agent is installed on DCs<\/strong>, the password is stored<\/strong> in JumpCloud after the initial log in. The stored password continues to be synced from AD to JumpCloud and from JumpCloud to other resources. The password can be used to log in to resources that don\u2019t support delegated authentication to AD, such as Cloud RADIUS, Cloud LDAP, and devices.<\/li>\n<\/ul>\n\n\n\n
- User has access to the delegation-enabled AD domain, and their Delegated Authority<\/strong> is set to Active Directory on their user record<\/li>\n\n\n\n
- Device password reset flow is delegated to AD when the following are true:\n
- Users will NOT<\/strong> be able to log in to the JumpCloud User Portal or SSO apps if they are connected (bound) to multiple delegation-enabled AD domains.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- User has access to the delegation-enabled AD domain, and their Delegated Authority<\/strong> is set to Active Directory on their user record<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- The delegated authentication setting, Delegate Password Validation<\/strong>, is enabled and active for the ADI configuration<\/li>\n\n\n\n
- User portal and SSO logins are delegated to AD when the following are true:\n
- Compliance<\/strong> – Keep the password behind the AD firewall and still extend AD to the cloud using JumpCloud.<\/li>\n\n\n\n
- Easier integration deployment<\/strong> – Install the import agent on a small number of member servers not on all domain controllers (DCs) while still keeping and managing passwords in AD only<\/li>\n\n\n\n