Integrate an existing Identity Provider (IdP) with JumpCloud to allow users to securely authenticate using their IdP credentials to gain access to their managed resources.
Prerequisites
- You must have Admin with Billing permissions to configure an IdP.
- You need a Microsoft Entra Admin Center login with the permission to create Enterprise Applications, like a Global Administrator or Application Administrator .
Considerations
- Federated authentication will be applied to only specific user groups. See Routing Policies for Identity Providers to learn more.
- Creating the IdP won’t automatically result in users logging in with that IdP.
- User Portal access will be available with a federated login. If you don’t want User Portal access, you can create a policy to deny this.
- Learn how to provision users from your Entra ID directory to JumpCloud.
- You should already have a user created in JumpCloud.
Preparing your IdP to Configure with JumpCloud
To register JumpCloud in Entra ID:
- Log in to your Microsoft Entra Admin Center.
- In the left hand navigation, click Identity > App registrations.
- On the next page, click + New registration.
- Enter a *Name associated with JumpCloud.
- Under Supported Account Types, you need to select who can use this app or API. Click Accounts in this organizational directory only.
- For the Redirect URI, click the Select a platform dropdown menu > Web. This is the redirect URI that needs to be pasted into the URI field: https://login.jumpcloud.com/oauth/callback
- Click Register.
- On the new JumpCloud app page, under Manage, click Authentication.
- Scroll down to Implicit grant and hybrid flows, you need to choose the token authorization endpoint, select ID tokens (used for implicit and hybrid flows).
- Click Save.
- Next, under Manage, click Token configuration.
- Click + Add optional claim, then under *Token Type, select ID.
- A list of available optional claims will populate. Next to the Claim column, click the checkbox to bulk select all of the claims.
- Click Add.
- You’ll be prompted to confirm that you want to Turn on the Microsoft Graph email, profile permission (required for claims to appear in token), click the checkbox to confirm, then click Add.
- Next, under Manage, click API permissions. Click Grant admin consent for JumpCloud. You’ll be prompted to confirm the selection, click Yes.
- Now, click on Overview, then click Endpoints to get the Issuer URL.
- A list of URLs will populate, the first Endpoint URL called OAuth 2.0 authorization endpoint v2 is what you will need to configure in JumpCloud. Copy the entire URL up until the /oauth2/v2.0/authorize. This part can be ignored or deleted. Only copy the URL and Directory Tenant ID.
- Finally, in the left hand navigation, click Identity > Applications > App registrations, then click All applications.
- Next to the JumpCloud app, under the Application (client ID), copy the ID to your clipboard.
You can also copy this URL: https://login.microsoftonline.com/, paste it to your clipboard. Then go back to the JumpCloud App Overview page, under Essentials, copy the Directory (tenant) ID, and paste it directly after the https://login.microsoftonline.com/ URL in your clipboard.
Creating Client Credentials
- From your Microsoft Entra Admin Center, navigate to the JumpCloud app that you just registered. On the Overview page, under Essentials > Client credentials, click Add a certificate or secret.
- On the next page, click + New client secret, then add a Description for this Client Secret. Then, click the Expires dropdown menu to change the expiration of the client secret.
- Click Add.
- The new Client Secret will populate on the page with a Value and Secret ID. In order to complete the configuration in JumpCloud, the Value is required.
The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the JumpCloud Password Manager, for future reference.
Creating a New User
You should have existing users created in the JumpCloud Admin Portal.
- From your Microsoft Entra Admin Center, in the left hand navigation, click Users > All Users.
- Click + New user > Create new user.
- On the next page, enter a User principal name.
The User principal name should be the same as the existing JumpCloud user's Company Email.
- For Mail nickname*, the option to Derive from user principal name is selected by default. You can change this if you’d like to.
- Enter a Display name*.
- For Password*, keep the auto generated option selected.
- For Account enabled*, keep the checkbox selected by default.
- Click Review + create.
- On the next page, review your new user’s details and then click Create.
- The new user should populate in the list of Users, if it doesn’t, click Refresh.
- Next, you need to add an email to the new user. Click on the user you just created.
- On the user’s Overview page, click Properties.
- Copy the User principal name to your clipboard. This is where the ID token will be sent.
- Click the ‘pencil’ icon next to Contact Information to edit.
- In the Email field, paste the User principal name that you just copied.
- Click Save. If it doesn’t update right away, click Refresh.
Now, you have a connection to JumpCloud in Entra. Next, you’ll want to configure the connection in JumpCloud.
Configuring Entra ID as an IdP in JumpCloud
To configure Entra ID:
- Log in to your JumpCloud Admin Portal.
- Click DIRECTORY INTEGRATIONS > Identity Providers.
- Click the Add Identity Provider dropdown menu, and select Azure.
- Enter an Identity Provider Name* as a display name (i.e., Entra OIDC).
- Next, you’ll need to copy/paste the following information from your Microsoft Entra Admin Center into the required fields in JumpCloud:
You should have an existing user already created in the JumpCloud Admin Portal.
- Entra IdP URL*: This is the https://login.microsoftonline.com/<Directory (tenant ID)>.
- Client ID*: This is the Application (client ID) associated with the new user you created.
- Client Secret*: This is the secret value you received when you created the client credentials.
- Once these are all copy/pasted in, click Save.
- You’ll be prompted to verify that you want to enable Federated Device Authentication for your users’ login. Select I understand the impacts above, then click Yes, Continue.
Now, you can go and test the connection to ensure everything is working as expected.
Managing the IdP
To manage the IdP:
- From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
- You can update the Identity Provider Name, Entra IdP URL, Client ID, and Client Secret.
- Under Authentication, you’ll see that Federation is applied to your users, allowing them to authenticate with an IdP.
Deleting the IdP
To delete the IdP:
- From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
- At the bottom of the IdP Configuration page, under Delete Identity Provider, click Delete IdP.
- You’ll be prompted to confirm your deletion, then click Yes, Delete.
Additional Resources:
Walk through a guided simulation for Configuring Entra ID as an Identity Provider