Hello
Sharing a documentation here to configure JumpCloud and Okta in tandem to use JumpCloud as factor for Device Trust by using OIDC, Conditional Access Policies and Okta's Policy Engine.
What it does:
If you're using Okta for SSO (let's say via SAML to your Salesforce instance) you have ample of options to add additional layers for enhanced security by having MFA enabled, iincluding FIDO2 (WebAuthn).
What you don't have that straight forward with Okta is Device Trust. So if you want to make sure that only managed devices (Windows, macOS, Linux) have access to i.e. Salesforce, you have to rely on third-parties here.
By default, Okta integrates with EMM solutions, Certification Authorities and Endpoint Security solutions to establish these additional layers. For example, if your having a CA with a SCEP service, you could integrate this way by pushing out certificates to your devices with the caveat that you also have to configure the SSO extension profile.
What if you're using JumpCloud and Okta and you want to use JumpCloud's super-easy-to-deploy Device Trust Certificates instead?
Well, got it figured out. The entry point here is the capability of Okta to integrate with other IDP's as a factor.
Ingredients used:
- JumpCloud Custom OIDC App
- JumpCloud Conditional Policy
- JumpCloud Device Certificates
- Okta Identity Provider integration
- Okta Authentication Policies
Requirements:
- Okta tenant with respective licensing in place
- JumpCloud tenant with respective licensing in place
- Device Certificates already enabled and deployed
Caveats:
Right now, the check on the Device Trust Certificate requires an actual login to JumpCloud. This leads to a 'double authentication' every time it's required. In practice, there might be no need to check on the Device Trust Certificate on every login. In my configuration I only enforced it once a week - while unmanaged devices are denied completely.
How to:
1. Configure a Custom OIDC App
On JumpCloud you will need to populate the following settings:
Redirect URIs: https://dev-xxxx.okta.com/oauth2/v1/authorize/callback
Login URL: https:/dev-xxxxx.okta.com
Attribute Mappings (Okta requires preferred_username here as well):
| Service Provider Attribute Name | JumpCloud Attribute Name |
| preferred_username |
On Okta:
Go to Security / Authenticators and click "Add authenticator"
I named it 'JumpCloud Factor' and follow the instructions outlined here in this article.
Use the following settings (according to your own tenant):
Redirect Domain: Your tenant-URL
Client ID and Client Secret from the JumpCloud Configuration
Issuer: https://oauth.id.jumpcloud.com/
Authorization endpoint: https://oauth.id.jumpcloud.com/oauth2/auth
Token endpoint: https://oauth.id.jumpcloud.com/oauth2/token
JWKS endpoint: https://oauth.id.jumpcloud.com/.well-known/jwks.json
Remaining on Okta, you will have to add an Authentication policy recognising this factor (JumpCloud's OIDC App):
For testing purposes I assigned this policy only to one test application without any deeper configurations. As you can see in the screenshot: Every 7 days the factor will be re-enforced which leads to the 'double auth' including JumpCloud.
Still on Okta, go to Authenticators and require the Enrollment for "JumpCloud Factor":
Now we switch back to JumpCloud to configure Conditional Access Policies.
First, make sure that you have enabled Device Certificates. Go to Conditional Policies / Settings and check that "Global Certificate Distribution" is toggled to "ON"
Next, let's configure the Conditional Policy.
I named it "JumpCloud as a Factor for Okta" and you select the OIDC app "JumpCloud Factor", i included "All Users" and as Conditions i did configure
| Device | JumpCloud managed device |
| Location | in country: Singapore |
Action = Allowed
Authentication = Password
That's it, now let's do some testing for validation.
1. JumpCloud Managed Device
2. Unmanaged Device
That's the basic configuration.
You can enhance the posturing and conditioning here by adding factors like Disk Encryption or IP Address, on Okta itself you can also tweak the Authentication Policy if needed.
Thanks again for reading.
- Juergen
Hi Timothy
I just checked and at a first glance, I don't see any significant changes on the Okta UI.
Having JC setup as an IdP in Okta is definitely required to make this work.
You don't have this option in your Okta Console?
I'm not sure atm which type license this would require for Okta (I'm using a dev-tenant).
Hello, I believe I have it set up correctly, but when trying to access the Okta Dashboard it redirects me to Jumpcloud in an attempt to sign up
When I click on "Configure" I am redirected to my jumpcloud tenant, after logging in, I am directed to the jumpcloud applications screen
and when I return to my okta dashboard, I am redirected to the first screen I mentioned and it stays on repeat
Hello, yes I've set up my Conditional Policy in JC, and it's working fine. I can only access it if I have the Jumpcloud Agent.
After clicking on 'configure,' and "enroll" I am redirected to the JC website
I end up in this infinite loop.
I believe it might be something related to the redirect url. in the okta logs, im not receiving anything from jumpcloud
and after logging to JC, im encountering this erro
