{"id":83688,"date":"2023-06-05T13:09:52","date_gmt":"2023-06-05T17:09:52","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=83688"},"modified":"2025-01-10T17:53:23","modified_gmt":"2025-01-10T22:53:23","slug":"configure-okta-real-time-user-password-import","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/configure-okta-real-time-user-password-import","title":{"rendered":"Configure Okta Real-time User and Password Import"},"content":{"rendered":"\n
Streamline lifecycle management for your organization by connecting Okta with JumpCloud through a Real-time User and Password Import SCIM integration. This integration lets you manage your organization\u2019s user identities in Okta, and easily connect users to all of the IT resources they need through JumpCloud. After you connect Okta with JumpCloud through SCIM, depending on the integration settings you choose, users are seamlessly created, updated, and deactivated in JumpCloud according to the actions you take on users in Okta. <\/p>\n\n\n\n
Supported Features<\/h2>\n\n\n\n
The following SCIM actions are supported for Okta\u2019s User Import and Password Mastery<\/strong> integration with JumpCloud.<\/p>\n\n\n\n
\n
User import<\/strong>: Users accounts are imported from Okta into JumpCloud<\/li>\n\n\n\n
Password sync<\/strong>: User account passwords are synchronized between Okta and JumpCloud; changes made to passwords in Okta are synced with JumpCloud<\/li>\n\n\n\n
Create<\/strong>: When you create users in Okta they\u2019re created in JumpCloud<\/li>\n\n\n\n
Update<\/strong>: When you update user attributes in Okta, these updates are reflected in JumpCloud<\/li>\n<\/ul>\n\n\n\n
Managing Password Resets and JumpCloud Managed MacOS Devices<\/h3>\n\n\n\n
There can be several workflows when resetting passwords within this configuration. When devices are managed by JumpCloud, passwords should be reset in Okta and later confirmed on the device. Ensure that the following best practices are leveraged when users commit a password reset within Okta. <\/p>\n\n\n\n
Additionally, JumpCloud requires <\/strong>macOS devices to be online during the password change in Okta so that the device will receive the new password via the JumpCloud Agent. This can be achieved when users are logged into their device and change the password within a browser window. The JumpCloud Tray App then requests a confirmation of the password change. See the workflow diagrams below. <\/p>\n\n\n\n
Password Reset with Okta and a Single MacOS Device (Online) – Recommended<\/strong><\/p>\n\n\n\n
<\/figure>\n\n\n\n
In this diagram, a user resets their password in a browser window on their JumpCloud managed macOS device. This sends the password to JumpCloud which updates their JumpCloud User Password. Within 60 seconds, their macOS JumpCloud Device Agent checks in with JumpCloud, receives the new password hash, and displays a notification. The User must confirm<\/strong> their password in order for the FileVault (SecureToken) password and User Login password to be synced within the macOS keychain. <\/p>\n\n\n\n
Password Reset with Okta and a Single MacOS Device (Offline) – Not Recommended<\/u><\/strong><\/p>\n\n\n\n
JumpCloud recommends that users change their passwords while logged in to their primary macOS device. If the user\u2019s macOS device is offline, additional steps must be taken to ensure the password is updated in macOS. The workflow shown in the previous diagram is not recommended<\/strong> unless absolutely necessary.<\/p>\n\n\n\n
When a user changes their password in Okta, while their macOS device is offline, Okta sends the updated password to JumpCloud. JumpCloud updates the user\u2019s JumpCloud password to the new Okta password. Because the macOS device is offline, no updates are received until FileVault is unlocked. <\/p>\n\n\n\n
When the user cold-boots their macOS device, FileVault prompts for a password. The user must enter the previous password\u2013that is, the one they used before the password reset in Okta. This is because the macOS device is encrypted, the NIC is not initialized, and the JumpCloud Agent is not active until FileVault is unlocked. <\/p>\n\n\n\n
Once the user has unlocked FileVault using their previous password, the JumpCloud Device Agent will run, connect to the internet, and receive the new password hash from JumpCloud. The user will see a second login prompt asking them for their previous and new password. The user should use the previous password they just used to unlock the Filevault Window and the new <\/strong>password they\u2019ve just reset in Okta. <\/p>\n\n\n\n
If typed correctly, the user is then logged into their profile and the macOS keychain is synced and updated appropriately. <\/p>\n\n\n\n
Password Reset with Okta and Multiple MacOS Devices (Online) – Recommended<\/strong><\/p>\n\n\n\n
<\/figure>\n\n\n\n
In the diagram above, a user resets their password within a browser window on their primary JumpCloud managed macOS device. This sends the password to JumpCloud which updates their JumpCloud User Password. Once their macOS JumpCloud Device Agent checks in with JumpCloud, it receives the new password hash and displays a notification. The user must confirm their password in order for the FileVault (SecureToken) password and User Login password to be synced in the macOS keychain. <\/p>\n\n\n\n
For the second macOS device, the user performs a login where the User Login prompt requests their previous and new password. This updates the macOS keychain to utilize the new password appropriately. <\/p>\n\n\n\n
JumpCloud recommends that the second or additional macOS devices be online and past the FileVault Login so the JumpCloud Device agent and the NIC are active and initialized. It is not recommended to have the additional macOS devices offline during a password reset operation in Okta. <\/p>\n\n\n\n
Password Reset with Okta and Multiple MacOS Devices (Online\/Offline) – Not Recommended<\/u><\/strong><\/p>\n\n\n\n
<\/figure>\n\n\n\n
<\/p><\/div>
Important:<\/strong> \n
JumpCloud recommends only using this workflow if it is absolutely necessary to ensure proper password syncing. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
In the diagram above, a user resets their password within a browser window on their primary JumpCloud managed macOS device. This sends the password to JumpCloud which updates the JumpCloud User Password. Once the macOS JumpCloud Device Agent checks in with JumpCloud, it receives the new password hash and displays a notification. The user must confirm their password in order for the FileVault (SecureToken) password and User Login password to be synced within the macOS keychain. <\/p>\n\n\n\n
For the second macOS device, the user cold-boots their macOS device. FileVault will prompt for a password. This is the password the user used before the password reset in Okta. This is because the macOS device is encrypted, the NIC is not initialized, and the JumpCloud Agent is not active until after FileVault is unlocked. <\/p>\n\n\n\n
Once the User has unlocked FileVault using their previous password, the JumpCloud Device Agent will run, connect to the internet, and receive the new password hash from JumpCloud. The user will see a second login prompt asking for their previous and new passwords. The user should use the previous password they just used to unlock the Filevault Window and the new <\/strong>password they\u2019ve just reset within Okta. <\/p>\n\n\n\n
JumpCloud recommends that the second or additional macOS devices be online and past the FileVault Login so the JumpCloud Device agent and the NIC are active and initialized. It is always best practice to have the additional macOS devices online during a password reset operation in Okta. <\/p>\n\n\n\n
Password Reset with Okta and Windows Devices<\/h3>\n\n\n\n<\/figure>\n\n\n\n
In the diagram above, a user resets their password within a browser window on their JumpCloud managed Windows device. This sends the password to JumpCloud which updates the JumpCloud User Password. Once the JumpCloud Device Agent checks in with JumpCloud, it receives the new password hash and updates the local password hash within Windows. The next time Windows requests a password, it will be using the new password the user just set. <\/p>\n\n\n\n
Password Reset with Okta and Linux Devices <\/h3>\n\n\n\n<\/figure>\n\n\n\n
In the diagram above, a user resets their password within a browser window on their JumpCloud managed Linux device. This sends the password to JumpCloud which updates their JumpCloud User Password. Once the JumpCloud Device Agent checks in with JumpCloud, it receives the new password hash and updates the local password hash within Linux. The next time Linux requests a password, it will be using their new password they\u2019ve just set. <\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/extend-okta-identities.png\")
<\/p>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"){kind=icon}
<\/p><\/div>![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\"){kind=icon}
<\/p><\/div>![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-add-applications.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-select-jumpcloud-1024x497.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-single-macos-device-online-1024x575.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-single-macos-device-offline.jpeg\")
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-multiple-macos-devices-online-1024x575.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-multiple-macos-devices-online-and-offline-1024x576.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-windows-device-1024x573.jpeg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/okta-linux-device-1024x575.jpeg\")
<\/figure>\n\n\n\n