- \n
- You need to have JumpCloud set up as an OIDC app in your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation to learn more:\n
- \n
- Configure Okta as an Identity Provider<\/a><\/li>\n\n\n\n
- Configure Entra ID as an Identity Provider<\/a><\/li>\n\n\n\n
- Configure Google Workspace as an Identity Provider<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- You need to have Admin with Billing permissions to configure an IdP. <\/li>\n\n\n\n
- You need to have an existing IdP managing your users to benefit from federated authentication.<\/li>\n\n\n\n
- All JumpCloud users must have unique company email addresses, and the email of the JumpCloud user and external IdP email used for Federation have to match. <\/li>\n<\/ul>\n\n\n\n
Considerations<\/strong><\/p>\n\n\n\n
- \n
- Federated IdP authentication doesn\u2019t capture the user\u2019s IdP password. If Device Password Sync is set to NO, then users will be prompted to create a local passcode (password) on Mac or local PIN on Windows. If Device Password Sync is set to Yes, then JumpCloud will sync the JumpCloud password to the device and set it for the user account on the device. <\/li>\n\n\n\n
- Federation does not currently support authenticating with JumpCloud Go. <\/li>\n\n\n\n
- Federation does not currently support JumpCloud Multi-Factor Authentication (MFA) for users in addition to external IdP authentication. However, MFA may be applied at the IdP.<\/li>\n\n\n\n
- Features like device provisioning and local self service password reset is currently not supported on Linux.<\/li>\n<\/ul>\n\n\n\n
Externally Managed Passwords<\/strong><\/h3>\n\n\n\n
Externally managed passwords prevent password changes within JumpCloud, both by users and admins. When users are set to Password Externally Managed, they will no longer receive password expiration notifications and password expirations will no longer apply to them.
Use this setting when a user\u2019s password is being managed by an upstream integration or when they\u2019re authenticating with an external identity provider (IdP).<\/p>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> Once this setting is enabled, users will not be able to change their own password from their JumpCloud device tray application, User Portal, or any other password reset flow. Additionally, admins won\u2019t be able to set user passwords from the Admin Portal.<\/p><\/div><\/div><\/div>\n\n\n\n
Workflow<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/01\/Docs-Diagram-Frame-1-1024x489.png\")
<\/figure>\n\n\n\n- \n
- Prepare your IdP to configure with JumpCloud.<\/strong>\n
- \n
- You will need to add JumpCloud as an application to your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation:\n
- \n
- Configure Okta as an Identity Provider<\/a><\/li>\n\n\n\n
- Configure Entra ID as an Identity Provider<\/a><\/li>\n\n\n\n
- Configure Google Workspace as an Identity Provider<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Configure your IdP in JumpCloud.<\/strong>\n
- \n
- Verify that you want to enable Federated Device Authentication for your users\u2019 login.\n
- \n
- This will require all users to authenticate with their IdP.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Automatically bind users to devices by configuring Self Service Account Provisioning, or Automated Device Enrollment, based on whichever OS you\u2019re provisioning<\/strong>, see Provision New Users on Device Login<\/a> to learn more. <\/strong>\n
- \n
- Users logging into their device for the first time will use their IdP credentials to sign in. This also creates a local user on the device.<\/li>\n\n\n\n
- By default, any new users that are associated with the device will automatically have their JumpCloud password synced to their device password. You can disable this so that any new user to device associations will not<\/em> have their JumpCloud password synced to their device. Instead, the user will enter a local password to log into their device.<\/strong> See Device Password Sync<\/a> to learn more.<\/li>\n\n\n\n
- The JumpCloud account will be automatically bound to the JumpCloud device upon successful user login to the external IdP.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally, restrict your user’s password in JumpCloud.\n
- \n
- Users won\u2019t be able to set or update a password in JumpCloud. Users won\u2019t receive any password related communication or emails.<\/li>\n\n\n\n
- Admins won\u2019t be able to set or update a user\u2019s password in JumpCloud either. <\/li>\n\n\n\n
- Passwords can continue being synced from any SCIM or REST integration for this user.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Device Management Deployment Scenarios<\/strong><\/h2>\n\n\n\n
Scenario 1: Device Management with an External IdP<\/strong><\/p>\n\n\n\n
<\/p>\n\n\n\n
Identity management is kept in your existing IdP. Identities are synced into JumpCloud for the purpose of IdP login. New users will set up and maintain a local passcode on their device. Existing users will maintain their existing passwords after they become managed by JumpCloud. If the user forgets this passcode, it may be reset with an external IdP login. The passcode is stored locally on the device, reducing the risk of compromise and allowing for offline authentication. The user can log in to any web-based resources (like JumpCloud\u2019s User Portal, SSO apps, local account provisioning flows, etc.) with their IdP login.<\/p>\n\n\n\n
- \n
- User identities live, and are managed in an existing, external IdP like Azure AD, Google Workspace, or Okta.<\/li>\n\n\n\n
- Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.<\/li>\n\n\n\n
- Once the users are synced, and are logging into their device for the first time, they\u2019ll be redirected to authenticate to the external IdP via JumpCloud federation.<\/li>\n\n\n\n
- The local user account will then be created on the device, and become managed by JumpCloud.\u00a0<\/li>\n\n\n\n
- The user will create a local passcode to access their device. This passcode can be reset from the login window by authenticating through the external IdP.<\/li>\n<\/ol>\n\n\n\n
Device password<\/strong>: Local credentials<\/p>\n\n\n\n
Zero Trust Controls<\/strong>: IdP<\/p>\n\n\n\n
MFA<\/strong>: IdP<\/p>\n\n\n\n
Scenario 2: Device Management with IdP Password Sync<\/strong><\/p>\n\n\n\n
<\/strong><\/p>\n\n\n\n
Identity management is kept within your existing IdP. Identities are synced into JumpCloud for the purpose of IdP login. Passwords are also synced from your IdP into JumpCloud outside of the OIDC IdP login flow (which doesn\u2019t capture the password). This password is synced to the user\u2019s device, resulting in the IdP password, and the device password being in sync. Optionally, an IdP object can be configured allowing users to log in with their IdP credentials for web-based logins. <\/p>\n\n\n\n
- \n
- User identities live, and are managed in an existing, external IdP like Okta.\u00a0<\/li>\n\n\n\n
- Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.\u00a0<\/li>\n\n\n\n
- Once the users are synced, and are logging into their device for the first time, they\u2019ll be redirected to authenticate to the external IdP via JumpCloud federation.\u00a0<\/li>\n\n\n\n
- The local user account will then be created on the device, and become managed by JumpCloud.\u00a0<\/li>\n\n\n\n
- The user\u2019s password is managed by the external IdP, and then synced to the JumpCloud account.\u00a0<\/li>\n\n\n\n
- User password changes, and resets have to be done in the IdP.<\/li>\n<\/ol>\n\n\n\n
Device password<\/strong>: IdP<\/p>\n\n\n\n
Zero Trust Controls<\/strong>: IdP<\/p>\n\n\n\n
MFA<\/strong>: IdP<\/p>\n\n\n\n
Scenario 3: Device Management with JumpCloud Password Sync and External IdP Login<\/strong><\/p>\n\n\n\n
<\/strong><\/p>\n\n\n\n
In this scenario, identity management is kept within your existing IdP. Identities are synced to JumpCloud for the purpose of IdP login. Users are also associated to a Cloud Directory integration. This enables JumpCloud to own the password, but your IdP to own the identity. Users can change their password from their device, allowing the password to be synced to JumpCloud, and to their IdP. The user will log in with their IdP for web-based logins with the password that\u2019s managed by JumpCloud. Any Zero Trust, MFA, etc. controls will be enforced at the IdP login.<\/p>\n\n\n\n
- \n
- User identities live, and are managed in an existing, external IdP like Azure AD, or Google Workspace.\u00a0<\/li>\n\n\n\n
- Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.\u00a0<\/li>\n\n\n\n
- Once the users are synced, and are logging into their device for the first time, they\u2019ll be redirected to authenticate to the external IdP via JumpCloud federation.\u00a0<\/li>\n\n\n\n
- The local user account will then be created on the device, and become managed by JumpCloud.\u00a0<\/li>\n\n\n\n
- The user\u2019s password is managed by JumpCloud, or on the device itself, and then synced to the IdP.<\/li>\n<\/ol>\n\n\n\n
Device password<\/strong>: JumpCloud<\/p>\n\n\n\n
Zero Trust Controls<\/strong>: IdP<\/p>\n\n\n\n
MFA<\/strong>: IdP<\/p>\n\n\n\n
FAQ<\/h2>\n\n\n\n
Will JumpCloud receive the IdP password?\n<\/a>No. During the federated login flow, JumpCloud does not capture the IdP password.\n<\/p><\/div><\/div>\n\n\n\n
How does the user log in to their device?<\/a>\n- \n
- Admins need to decide whether they want their users device passwords synced or not. <\/li>\n\n\n\n
- If password sync is set to No, then during the local account join, the user will be prompted to set a local passcode (Mac) or PIN (Windows). This is a local passcode to the device, which is not synced to or from JumpCloud.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nWhat JumpCloud resources support Federated Authentication?<\/a>
Any resource that supports browser-based logins: User Portal, SSO apps, Self Service Account Provisioning, Mac ADE, and local password resets.<\/p><\/div><\/div>\n\n\n\n
What JumpCloud resources do not support Federated Authentication?<\/a>Any resource that does not support browser-based logins: LDAP and RADIUS<\/p><\/div><\/div>\n\n\n\n
How does a user on a device reset their local password when Password Sync is set to No?<\/a>\n- \n
- Both Windows and Mac users can reset their PIN or local password from the device login window. See Windows\/Mac Self-Service PIN\/Password Reset for Local Password Users<\/a> to learn more.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nShould account lockout be configured in JumpCloud?<\/a>\n
Account lockout applies to all users in an organization. If all users will authenticate with an IdP, and therefore use a local device credential, the OS lockout mechanisms may be used. In this case, JumpCloud account lockout doesn\u2019t need to be configured. However, even if JumpCloud account lockout is configured, it can be overridden for individual users on devices by navigating to USER MANAGEMENT<\/strong> > Users<\/strong>, clicking a specific user, then under the User Security Settings and Permissions<\/strong> dropdown, select Bypass account lockout policy for user\u2019s managed device<\/strong>.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
If JumpCloud account lockout is configured, how do I unlock a locked JumpCloud user account that corresponds to a local password account on a device?<\/a>\nMac (and Windows): Admins can unlock the account in the Admin Portal, see Unlock User Accounts<\/a> to learn more. <\/p>\n<\/div><\/div><\/div>\n\n\n\n
Can I configure Federation so that only some of the users in my organization authenticate with an IdP, while some authenticate with JumpCloud?<\/a>\nYes. You can create a routing policy to have specific groups of users required to authenticate through their IdP. See Routing Policies for Identity Providers<\/a> to learn more. <\/p>\n<\/div><\/div><\/div>\n\n\n\n
Can I use the \u201cWindows – Do Not Display Last Username on Logon Screen Policy\u201d with Federation?\n<\/a>Yes, however this will prevent the user self service password reset flow from functioning by obscuring the Self Service Account Provisioning option.\n<\/p><\/div><\/div>\n\n\n\n
What happens when a Windows user attempts to enter a password as opposed to their PIN or biometric for login?\n<\/a>The user will not know their local account device password unless they explicitly set it after login with PIN or biometric. This will result in denied logins, and could lead to lockouts by the OS or on the JumpCloud account, if configured.\n<\/p><\/div><\/div>\n\n\n\n
Do the JumpCloud Password Settings apply to the local device account password or PIN?<\/a>\n- \n
- Windows<\/strong>: No. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).<\/li>\n\n\n\n
- Mac<\/strong>: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\n
Can the Admin Portal be used to bind and unbind accounts to devices?<\/a>\nYes, accounts can be manually bound to devices in the Admin Portal. Use the Password Sync<\/strong> dropdown to determine if the user’s JumpCloud password will be synced to the device or not. For Federated accounts where the user logs into the device with a local password or PIN, set Password Sync<\/strong> to No<\/strong>.
Learn More<\/a><\/p>\n<\/div><\/div><\/div>\n\n\n\n - Mac<\/strong>: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\n
- Windows<\/strong>: No. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).<\/li>\n\n\n\n
- Both Windows and Mac users can reset their PIN or local password from the device login window. See Windows\/Mac Self-Service PIN\/Password Reset for Local Password Users<\/a> to learn more.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\n
- Configure Entra ID as an Identity Provider<\/a><\/li>\n\n\n\n
- Configure Okta as an Identity Provider<\/a><\/li>\n\n\n\n
- You will need to add JumpCloud as an application to your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation:\n
- Prepare your IdP to configure with JumpCloud.<\/strong>\n
- Configure Entra ID as an Identity Provider<\/a><\/li>\n\n\n\n
- Configure Okta as an Identity Provider<\/a><\/li>\n\n\n\n