cancel
Showing results for 
Search instead for 
Did you mean: 

How to establish Device Trust (managed devices) for Okta by using JumpCloud as factor for authentication?

JuergenKlaassen
Rising Star II
Rising Star II

Hello

Sharing a documentation here to configure JumpCloud and Okta in tandem to use JumpCloud as factor for Device Trust by using OIDC, Conditional Access Policies and Okta's Policy Engine

What it does:

If you're using Okta for SSO (let's say via SAML to your Salesforce instance) you have ample of options to add additional layers for enhanced security by having MFA enabled, iincluding FIDO2 (WebAuthn).
What you don't have that straight forward with Okta is Device Trust. So if you want to make sure that only managed devices (Windows, macOS, Linux) have access to i.e. Salesforce, you have to rely on third-parties here. 

By default, Okta integrates with EMM solutions, Certification Authorities and Endpoint Security solutions to establish these additional layers. For example, if your having a CA with a SCEP service, you could integrate this way by pushing out certificates to your devices with the caveat that you also have to configure the SSO extension profile

What if you're using JumpCloud and Okta and you want to use JumpCloud's super-easy-to-deploy Device Trust Certificates instead?
Well, got it figured out. The entry point here is the capability of Okta to integrate with other IDP's as a factor

Ingredients used:

Requirements:

  • Okta tenant with respective licensing in place
  • JumpCloud tenant with respective licensing in place
  • Device Certificates already enabled and deployed

Caveats: 

Right now, the check on the Device Trust Certificate requires an actual login to JumpCloud. This leads to a 'double authentication' every time it's required. In practice, there might be no need to check on the Device Trust Certificate on every login. In my configuration I only enforced it once a week - while unmanaged devices are denied completely. 

How to: 

1. Configure a Custom OIDC App

On JumpCloud you will need to populate the following settings:

Redirect URIshttps://dev-xxxx.okta.com/oauth2/v1/authorize/callback
Login URL: https:/dev-xxxxx.okta.com
Attribute Mappings (Okta requires preferred_username here as well):

Service Provider Attribute Name JumpCloud Attribute Name
email email
preferred_username email

Screenshot 2023-02-22 at 14.40.13.png

 

On Okta

Go to Security / Authenticators and click "Add authenticator"

I named it 'JumpCloud Factor' and follow the instructions outlined here in this article.
Use the following settings (according to your own tenant):

Redirect Domain: Your tenant-URL
Client ID and Client Secret from the JumpCloud Configuration
Issuer: https://oauth.id.jumpcloud.com/
Authorization endpointhttps://oauth.id.jumpcloud.com/oauth2/auth
Token endpoint: https://oauth.id.jumpcloud.com/oauth2/token
JWKS endpointhttps://oauth.id.jumpcloud.com/.well-known/jwks.json
Screenshot 2023-02-21 at 9.26.48 AM.png

 

Remaining on Okta, you will have to add an Authentication policy recognising this factor (JumpCloud's OIDC App):

For testing purposes I assigned this policy only to one test application without any deeper configurations. As you can see in the screenshot: Every 7 days the factor will be re-enforced which leads to the 'double auth' including JumpCloud. 

Screenshot 2023-02-22 at 14.57.42.png

 

Still on Okta, go to Authenticators and require the Enrollment for "JumpCloud Factor":

Screenshot 2023-02-22 at 15.00.15.png

Now we switch back to JumpCloud to configure Conditional Access Policies. 

First, make sure that you have enabled Device Certificates. Go to Conditional Policies / Settings and check that "Global Certificate Distribution" is toggled to "ON"
Screenshot 2023-02-22 at 15.02.49.png

Next, let's configure the Conditional Policy.
I named it "JumpCloud as a Factor for Okta" and you select the OIDC app "JumpCloud Factor", i included "All Users" and as Conditions i did configure

Device JumpCloud managed device
Location in country: Singapore

Action = Allowed
Authentication = Password


Screenshot 2023-02-22 at 15.07.39.png

 


That's it, now let's do some testing for validation. 
1. JumpCloud Managed Device

Screenshot 2023-02-22 at 15.15.12.pngScreenshot 2023-02-22 at 15.16.42.pngScreenshot 2023-02-22 at 15.17.08.pngScreenshot 2023-02-22 at 15.18.49.png

2. Unmanaged Device

Screenshot 2023-02-22 at 15.22.28.png

 

Screenshot 2023-02-22 at 15.23.31.png

 


That's the basic configuration. 
You can enhance the posturing and conditioning here by adding factors like Disk Encryption or IP Address, on Okta itself you can also tweak the Authentication Policy if needed. 

Thanks again for reading. 
- Juergen

14 REPLIES 14

Idan
JumpCloud Employee
JumpCloud Employee

Cool solution @JuergenKlaassen !

jehudamosh
JumpCloud Employee
JumpCloud Employee

Very cool! @JuergenKlaassen 

timothyadmire
Novitiate I

It appears that some of these instructions have changed on the Okta side. Okta now requires an "Identity Provider" to be setup before the "Authenticator" can be established. These appear to be the same step in the instructions above. When attempting to setup the Identity Provider, OIDC is not an option (at least for me) in Okta. Would love to connect directly on this as what you've outlined is exactly what I am trying to accomplish with JumpCloud and Okta.

@JuergenKlaassen tagging so you can take a look

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

Hi Timothy 

I just checked and at a first glance, I don't see any significant changes on the Okta UI. 
Having JC setup as an IdP in Okta is definitely required to make this work. 

You don't have this option in your Okta Console?
SCR-20230905-omwj.png

I'm not sure atm which type license this would require for Okta (I'm using a dev-tenant).  

Thanks for the reply! I do not have the OpenID option, but I have all of the others. I will inquire with Okta as to what is needed to get that option. I am wondering if a dev account is required to see that option. I do have a SAML 2.0 option, which I do not see in your screenshot.

@JuergenKlaassen Progress! Okta needed to enable the OIDC Identity Provider within their system, so I was able to complete the configuration now. If you're not seeing it, reach out to Okta to enable it.

I am still dealing with an issue where I cannot force the JumpCloud IdP Factor to be required for authentication because it is seen as a similar "possession" factor as Okta Verify, so the system allows the user to use EITHER of those two factors and get around the JumpCloud authentication requirement. I'm working with Okta support on that and will report back.

Second, I am also finding that JumpCloud is allowing authentication of the SSO application even from non-managed devices. Configuration all checks out and the JumpCloud certificates have been deployed, but JC allows a user to authenticate with their JC credentials and MFA using that factor on any device still. I'm still trying to sort that one out.

Hey Timothy
Sorry for my delayed response. 

Did you figure it out with the possession factor? 
Maybe you can share more details/screenshots about your policies there?

On the second, do you have configured your Conditional Access Policies accordingly on JumpCloud?

gustavomelo
Novitiate I

Hello, I believe I have it set up correctly, but when trying to access the Okta Dashboard it redirects me to Jumpcloud in an attempt to sign up

gustavomelo_0-1695396666663.png

When I click on "Configure" I am redirected to my jumpcloud tenant, after logging in, I am directed to the jumpcloud applications screen

and when I return to my okta dashboard, I am redirected to the first screen I mentioned and it stays on repeat

 

Hey

The 'Configure' and being redirected is expected as Okta uses JC as a factor here. But once completed, you shall not end up in a look or so. 
Does your Conditional Policy with Device Trust works as expected with JC (standalone without Okta in the chain)?

Hello, yes I've set up my Conditional Policy in JC, and it's working fine. I can only access it if I have the Jumpcloud Agent.
After clicking on 'configure,' and "enroll" I am redirected to the JC website

gustavomelo_0-1695644800371.png

I end up in this infinite loop.

 

I believe it might be something related to the redirect url. in the okta logs, im not receiving anything from jumpcloud

and after logging to JC, im encountering this erro

gustavomelo_0-1695653440532.png

 

shalomcarmel
Novitiate I

Hey, 

What is the Jumpcloud license required for this to work? 

Hi @shalomcarmel 
That would require Platform Prime as it's relying on Conditional Access.