02-22-2023 02:33 AM - edited 02-22-2023 05:19 PM
Sharing a documentation here to configure JumpCloud and Okta in tandem to use JumpCloud as factor for Device Trust by using OIDC, Conditional Access Policies and Okta's Policy Engine.
What it does:
If you're using Okta for SSO (let's say via SAML to your Salesforce instance) you have ample of options to add additional layers for enhanced security by having MFA enabled, iincluding FIDO2 (WebAuthn).
What you don't have that straight forward with Okta is Device Trust. So if you want to make sure that only managed devices (Windows, macOS, Linux) have access to i.e. Salesforce, you have to rely on third-parties here.
By default, Okta integrates with EMM solutions, Certification Authorities and Endpoint Security solutions to establish these additional layers. For example, if your having a CA with a SCEP service, you could integrate this way by pushing out certificates to your devices with the caveat that you also have to configure the SSO extension profile.
What if you're using JumpCloud and Okta and you want to use JumpCloud's super-easy-to-deploy Device Trust Certificates instead?
Well, got it figured out. The entry point here is the capability of Okta to integrate with other IDP's as a factor.
Right now, the check on the Device Trust Certificate requires an actual login to JumpCloud. This leads to a 'double authentication' every time it's required. In practice, there might be no need to check on the Device Trust Certificate on every login. In my configuration I only enforced it once a week - while unmanaged devices are denied completely.
1. Configure a Custom OIDC App
On JumpCloud you will need to populate the following settings:
Redirect URIs: https://dev-xxxx.okta.com/oauth2/v1/authorize/callback
Login URL: https:/dev-xxxxx.okta.com
Attribute Mappings (Okta requires preferred_username here as well):
|Service Provider Attribute Name||JumpCloud Attribute Name|
Go to Security / Authenticators and click "Add authenticator"
I named it 'JumpCloud Factor' and follow the instructions outlined here in this article.
Use the following settings (according to your own tenant):
Redirect Domain: Your tenant-URL
Client ID and Client Secret from the JumpCloud Configuration
Authorization endpoint: https://oauth.id.jumpcloud.com/oauth2/auth
Token endpoint: https://oauth.id.jumpcloud.com/oauth2/token
JWKS endpoint: https://oauth.id.jumpcloud.com/.well-known/jwks.json
Remaining on Okta, you will have to add an Authentication policy recognising this factor (JumpCloud's OIDC App):
For testing purposes I assigned this policy only to one test application without any deeper configurations. As you can see in the screenshot: Every 7 days the factor will be re-enforced which leads to the 'double auth' including JumpCloud.
Still on Okta, go to Authenticators and require the Enrollment for "JumpCloud Factor":
Now we switch back to JumpCloud to configure Conditional Access Policies.
First, make sure that you have enabled Device Certificates. Go to Conditional Policies / Settings and check that "Global Certificate Distribution" is toggled to "ON"
Next, let's configure the Conditional Policy.
I named it "JumpCloud as a Factor for Okta" and you select the OIDC app "JumpCloud Factor", i included "All Users" and as Conditions i did configure
|Device||JumpCloud managed device|
|Location||in country: Singapore|
Action = Allowed
Authentication = Password
That's it, now let's do some testing for validation.
1. JumpCloud Managed Device
2. Unmanaged Device
That's the basic configuration.
You can enhance the posturing and conditioning here by adding factors like Disk Encryption or IP Address, on Okta itself you can also tweak the Authentication Policy if needed.
Thanks again for reading.
02-22-2023 02:43 AM
02-22-2023 03:21 AM
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.