Help Center Home > Authentication > Get Started: Federated Authentication

Get Started: Federated Authentication

This feature is in Beta.

Easily onboard new users that have JumpCloud managed devices by integrating your existing Identity Provider (IdP) with JumpCloud. This allows your users to securely access their devices by logging in with their IdP credentials.

Prerequisites

  • You need to have JumpCloud set up as an OIDC app in your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation to learn more:
  • You need to have Admin with Billing permissions to configure an IdP. 
  • You need to have an existing IdP managing your users to benefit from federated authentication.
  • All JumpCloud users must have unique company email addresses, and the email of the JumpCloud user and external IdP email used for Federation have to match. 

Considerations

  • Federated IdP authentication doesn’t capture the user’s IdP password. Users will be prompted to create a local passcode (password) on Mac or local PIN on Windows.
  • Federation does not currently support authenticating with JumpCloud Go. 
  • Federation does not currently support JumpCloud Multi-Factor Authentication (MFA) for users in addition to external IdP authentication. However, MFA may be applied at the IdP.
  •  JumpCloud Device MFA is supported (Mac only).

Beta Considerations

  • Creating an IdP in JumpCloud will result in all users in the organization authenticating to supported resources (Self Service Account Provisioning, Mac ADE, local password resets, User Portal, and SSO apps) with this IdP.
  • User self service password reset via IdP login is available on Mac and Windows.
  • Federated Device login doesn’t support the migration of existing local accounts yet. Only new devices, or those with no local account with a username that matches the JumpCloud managed user that is attempting to log in, will be eligible for the Beta.

Workflow

  1. Prepare your IdP to configure with JumpCloud.
  2. Configure your IdP in JumpCloud.
    • Verify that you want to enable Federated Device Authentication for your users’ login.
      • This will require all users to authenticate with their IdP.
  3. Automatically bind users to devices by configuring Self Service Account Provisioning, or Automated Device Enrollment, based on whichever OS you’re provisioning, see Provision New Users on Device Login to learn more
    • Users logging into their device for the first time will use their IdP credentials to sign in. This also creates a local user on the device.
    • By default, any new users that are associated with the device will automatically have their JumpCloud password synced to their device password. You can disable this so that any new user to device associations will not have their JumpCloud password synced to their device. Instead, the user will enter a local password to log into their device. See Device Password Sync to learn more.
    • The JumpCloud account will be automatically bound to the JumpCloud device upon successful user login to the external IdP.

FAQ

Will JumpCloud receive the IdP password?

No. During the federated login flow, JumpCloud does not capture the IdP password.

How does the user log in to their device?

During the local account join, the user will be prompted to set a local passcode (Mac) or PIN (Windows). This is a local passcode to the device, which is not synced to or from JumpCloud.

How does a user on a device reset their local password?
  • Windows: Users have to go back to the Switch User/Login page. Click “Sign in options” and will see a JumpCloud icon. Clicking this icon will bring up the JumpCloud login, where they will enter their email address, and then be redirected to authenticate with their IdP. After completing this authentication, they will be prompted to reset their local PIN.
  • Mac: Admin must create a local account with admin/sudo privileges. Then they can use this account to reset the user’s local passcode.
Should account lockout be configured in JumpCloud?

Account lockout applies to all users in an organization. If all users will authenticate with an IdP, and therefore use a local device credential, the OS lockout mechanisms may be used. In this case, JumpCloud account lockout doesn’t need to be configured. However, even if JumpCloud account lockout is configured, it can be overridden for individual users on devices by navigating to USER MANAGEMENT > Users, clicking a specific user, then under the User Security Settings and Permissions dropdown, select Bypass account lockout policy for user’s managed device.

If JumpCloud account lockout is configured, how do I unlock a locked JumpCloud user account that corresponds to a local password account on a device?

Mac (and Windows): Admins can unlock the account in the Admin Portal, see Unlock User Accounts to learn more. 

Can I configure Federation so that only some of the users in my organization authenticate with an IdP, while some authenticate with JumpCloud?

No. When you configure the IdP, all users will be required to authenticate through the IdP.

Can I use the “Windows – Do Not Display Last Username on Logon Screen Policy” with Federation?

Yes, however this will prevent the user self service password reset flow from functioning by obscuring the Self Service Account Provisioning option.

What happens when a Windows user attempts to enter a password as opposed to their PIN or biometric for login?

The user will not know their local account device password unless they explicitly set it after login with PIN or biometric. This will result in denied logins, and could lead to lockouts by the OS or on the JumpCloud account, if configured.

Do the JumpCloud Password Settings apply to the local device account password or PIN?
  • Windows: No. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).
  • Mac: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.
Can the Admin Portal be used to bind and unbind accounts to devices?

Yes, accounts can be manually bound to devices in the Admin Portal. Use the Password Sync dropdown to determine if the user's JumpCloud password will be synced to the device or not. For Federated accounts where the user logs into the device with a local password or PIN, set Password Sync to No.
Learn More

I configured an Identity Provider, and now I’m seeing errors when logging into the User Portal. How do I fix this?

This could be caused by an issue with the configuration for the Identity Provider on the JumpCloud side or on the OIDC Client App on the Identity Provider side. Check the details of your configuration, and make sure your client ID and secret are correct. It may be necessary to regenerate a new secret in your IdP and try the configuration again if the problem keeps happening.

Back to Top

List IconIn this Article

Notebook IconLearn More

Provision New Users on Device Login

Configure Okta as an Identity Provider

Configure Entra ID as an Identity Provider

Configure Google Workspace as an Identity Provider

Device Password Sync

Externally Managed Passwords

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case