Showing results for 
Search instead for 
Did you mean: 

New Device Onboarding Experience with Okta Identity Federation

Rising Star III
Rising Star III

Hi Folks,

It’s been a while since the last time I posted, and I have been tinkering with a few side projects. Hopefully I can bring more cool stuff to the community once these projects come to fruition. Today, I’m excited to introduce the first one:

What if you’re using Okta as your primary IdP but are also yearning for JumpCloud’s UEM features?

Imagine using Okta SCIM to provision users (and their passwords) to JumpCloud, then letting JumpCloud sync the same identity to the device while managing it simultaneously. Sounds intriguing, right?

Let’s dive in!

Considerations & Prerequisites

  • Most of your user management tasks, such as updating user attributes, creating new users, suspending users, and changing passwords, will still be handled in Okta.
  • Ensure the JumpCloud agent is installed on all devices. (Apple MDM is optional at this stage for macOS).
  • Set the default user state like this:shawnsong_0-1717484247278.png
  • Configure Okta SCIM provisioning to JumpCloud. 
  • Establish an Okta identity federation with JumpCloud. 
  • (Optional) Create a user group to host the Okta federation users. You can automate the group memberships via JumpCloud’s Dynamic Groups feature like this:shawnsong_1-1717484269242.png
  • Last but not least, create a routing policy to direct the in-scope users. 

Now it’s all set, let’s dive into a few scenarios to see how it looks from a user perspective. 

Scenario 1 - Onboarding a new user

First, create a new user in Okta.

  • Make sure to activate the user now.
  •  you can set the password on-behalf.shawnsong_4-1717484362204.png
  • (Optional) Set a value here in order to be added to the routing group automatically in JumpCloud.shawnsong_5-1717484391404.png

Next, the user will get provisioned (self-serve) on the device.



Scenario 2 - Taking over the existing user on the device.

  • Full steps and details you may find here. In our case, just edit the provisioned user like this:shawnsong_6-1717484529628.png
  • Then, binding the user to device, Okta password will be channeled to the device via JumpCloud Password Sync:shawnsong_7-1717484529462.png


Scenario 3 - When user change their password on Okta.

In this particular setup, as mentioned above, user will manage their passwords in Okta only. You probably will consider hide the JumpCloud tray app (which empowers the user changing their JumpCloud passwords on-device) to avoid confusion. 

Create and bind the policies below to device groups respectively.

Hide Windows App Using a Policy - JumpCloud.

Create a Mac JumpCloud App Controls Policy

On Windows, after the password change, user will need to login with the new password to re-engage Windows Hello (PIN or biometric):shawnsong_8-1717484563305.pngshawnsong_9-1717484592366.png

On MacOS, user will need to input the previous password in order to regain access to keychain:shawnsong_10-1717484612447.png


Scenario 4 - Suspending the user.

When you deactivate or delete a user in Okta, the user is placed in a suspended state in JumpCloud.shawnsong_11-1717484642185.pngshawnsong_12-1717484642156.png

  • The user session will be ended from the device instantly, the account will be disabled (not deleted). 
  • On Windows, you won’t be able to see the user at the login screen
  • On MacOS, it looks like this. shawnsong_13-1717484642302.png

That’s it (for now)! Thanks for reading this far, hope these use cases are helpful, and feel free to comment below if you have any questions/feedback. 

Catch you up on the next one!