Configure Okta as an Identity Provider

This feature is in Beta.

Integrate an existing Identity Provider (IdP) with JumpCloud to allow users to securely authenticate using their IdP credentials to gain access to their managed resources.

Prerequisites

  • You need to have Admin with Billing permissions to configure an IdP. 
  • You need to have a valid Okta account with admin permissions.
  • All JumpCloud users must have unique company email addresses, and the email of the JumpCloud user and external IdP email used for Federation must match. 

Considerations

  • Federated authentication will be applied to all users at once.
  • Creating an IdP in JumpCloud will result in all users in the organization authenticating to supported resources (Self Service Account Provisioning, Mac ADE, local password resets, User Portal, and SSO apps) with this IdP.
  • User Portal access will be available with a federated login. If you don’t want User Portal access, you can create a policy to deny this, see Get Started: Conditional Access Policies.
  • If Password Sync is disabled on the Okta SCIM provisioning connector, Okta will still send JumpCloud a random value for the password. This will result in the User’s password status to show as “Active”.

Preparing your IdP to Configure with JumpCloud

To prepare your connection:

  1. Log in to your Okta account. 
  2. In the left navigation menu, click Applications > Applications
  3. Click Create App Integration, then in the next modal, for Sign-in method, select OIDC – OpenID Connect
  4. For Application type, select Web Application > Next
  5. On the next page, for App integration name, enter a name associated with JumpCloud. 
  6. For Grant type > Client acting on behalf of itself, select Client Credentials
  7. Under Sign-in redirect URIs, there is a link populated by default that needs to be replaced with this link: https://login.jumpcloud.com/oauth/callback
  8. For Sign-out redirect URIs, click the ‘X’ next to the link to clear it. 
  9. Under Assignments, select Allow everyone in your organization to access, unless you only want this applicable to certain groups, in which case select Limit access to selected groups and then enter the groups you want and click Save
  10. If you Allow everyone in your org to access, another option will appear under Enable immediate access (Recommended). Select Enable immediate access with Federation Broker Mode to require users to authenticate through JumpCloud.
  11. Click Save
  12. On the next page, you can manage your app. 
  13. Next to General Settings, click Edit. Then under USER CONSENT, uncheck Require consent. This enables users to login to Okta without being prompted to give their consent with each request. 
  14. Click Save
  15. Now, click the tab at the top Okta API scopes, scroll down to find the scope named okta.users.read. Click Grant to give consent to this scope.

Now you have a connection to JumpCloud in Okta. Next, you’ll want to configure the connection in JumpCloud. 

Configuring Okta as an IdP in JumpCloud

To configure Okta:

  1. Log in to your JumpCloud Admin Portal.
  2. Click DIRECTORY INTEGRATIONS > Identity Providers.
  3. Click the Add Identity Provider dropdown menu, and select Okta.
  4. Enter an Identity Provider Name* as a display name (i.e. Okta IdP).
  5. Next, you’ll need to copy/paste the following information from your Okta account into the required fields in JumpCloud:
    • Okta IdP URL*
      • From your Okta account, click your email in the top right corner, under your name and Okta email address, there is a URL with .okta.com at the end. This is your Okta IdP URL.
      • Note: “.well-known/openid-configuration” will be appended to the end of your Okta tenant URL, allowing for JumpCloud to obtain all the relevant OIDC endpoints from the hosted file.
    • Client ID*
      • Click Application > General, then under Client Credentials is where your Client ID lives.
    • Client Secret*
      • Under CLIENT SECRETS is where you can copy your current Client Secret, or Generate new secret
  6. Click Save. You’ll be prompted to verify that you want to enable Federated Device Authentication for your users’ login. Select I understand the impacts above, then click Yes, Continue.

Managing the IdP 

To manage the IdP:

  1. From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
  2. You can update the name, Okta IdP URL, Client ID, and Client Secret. 
  3. Under Authentication, you’ll see that Federation is applied to your users, allowing them to authenticate with an IdP.
  4. Under Device Account Provisioning, you can configure either Self Service Account Provisioning or Automated Device Enrollment for whichever OS you’re provisioning. The Status displays either Enabled or Disabled accordingly, click Configure to edit. 

See Provision New Users on Device Login and Automated Device Enrollment to learn more.

Deleting the IdP

To delete the IdP:

  1. From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
  2. At the bottom of the IdP Configuration page, under Delete Identity Provider, click Delete IdP
  3. You’ll be prompted to confirm your deletion, then click Yes, Delete.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case