cancel
Showing results for 
Search instead for 
Did you mean: 

How to establish Device Trust (managed devices) for Okta by using JumpCloud as factor for authentication?

JuergenKlaassen
Rising Star I
Rising Star I

Hello

Sharing a documentation here to configure JumpCloud and Okta in tandem to use JumpCloud as factor for Device Trust by using OIDC, Conditional Access Policies and Okta's Policy Engine

What it does:

If you're using Okta for SSO (let's say via SAML to your Salesforce instance) you have ample of options to add additional layers for enhanced security by having MFA enabled, iincluding FIDO2 (WebAuthn).
What you don't have that straight forward with Okta is Device Trust. So if you want to make sure that only managed devices (Windows, macOS, Linux) have access to i.e. Salesforce, you have to rely on third-parties here. 

By default, Okta integrates with EMM solutions, Certification Authorities and Endpoint Security solutions to establish these additional layers. For example, if your having a CA with a SCEP service, you could integrate this way by pushing out certificates to your devices with the caveat that you also have to configure the SSO extension profile

What if you're using JumpCloud and Okta and you want to use JumpCloud's super-easy-to-deploy Device Trust Certificates instead?
Well, got it figured out. The entry point here is the capability of Okta to integrate with other IDP's as a factor

Ingredients used:

Requirements:

  • Okta tenant with respective licensing in place
  • JumpCloud tenant with respective licensing in place
  • Device Certificates already enabled and deployed

Caveats: 

Right now, the check on the Device Trust Certificate requires an actual login to JumpCloud. This leads to a 'double authentication' every time it's required. In practice, there might be no need to check on the Device Trust Certificate on every login. In my configuration I only enforced it once a week - while unmanaged devices are denied completely. 

How to: 

1. Configure a Custom OIDC App

On JumpCloud you will need to populate the following settings:

Redirect URIshttps://dev-xxxx.okta.com/oauth2/v1/authorize/callback
Login URL: https:/dev-xxxxx.okta.com
Attribute Mappings (Okta requires preferred_username here as well):

Service Provider Attribute Name JumpCloud Attribute Name
email email
preferred_username email

Screenshot 2023-02-22 at 14.40.13.png

 

On Okta

Go to Security / Authenticators and click "Add authenticator"

I named it 'JumpCloud Factor' and follow the instructions outlined here in this article.
Use the following settings (according to your own tenant):

Redirect Domain: Your tenant-URL
Client ID and Client Secret from the JumpCloud Configuration
Issuer: https://oauth.id.jumpcloud.com/
Authorization endpointhttps://oauth.id.jumpcloud.com/oauth2/auth
Token endpoint: https://oauth.id.jumpcloud.com/oauth2/token
JWKS endpointhttps://oauth.id.jumpcloud.com/.well-known/jwks.json
Screenshot 2023-02-21 at 9.26.48 AM.png

 

Remaining on Okta, you will have to add an Authentication policy recognising this factor (JumpCloud's OIDC App):

For testing purposes I assigned this policy only to one test application without any deeper configurations. As you can see in the screenshot: Every 7 days the factor will be re-enforced which leads to the 'double auth' including JumpCloud. 

Screenshot 2023-02-22 at 14.57.42.png

 

Still on Okta, go to Authenticators and require the Enrollment for "JumpCloud Factor":

Screenshot 2023-02-22 at 15.00.15.png

Now we switch back to JumpCloud to configure Conditional Access Policies. 

First, make sure that you have enabled Device Certificates. Go to Conditional Policies / Settings and check that "Global Certificate Distribution" is toggled to "ON"
Screenshot 2023-02-22 at 15.02.49.png

Next, let's configure the Conditional Policy.
I named it "JumpCloud as a Factor for Okta" and you select the OIDC app "JumpCloud Factor", i included "All Users" and as Conditions i did configure

Device JumpCloud managed device
Location in country: Singapore

Action = Allowed
Authentication = Password


Screenshot 2023-02-22 at 15.07.39.png

 


That's it, now let's do some testing for validation. 
1. JumpCloud Managed Device

Screenshot 2023-02-22 at 15.15.12.pngScreenshot 2023-02-22 at 15.16.42.pngScreenshot 2023-02-22 at 15.17.08.pngScreenshot 2023-02-22 at 15.18.49.png

2. Unmanaged Device

Screenshot 2023-02-22 at 15.22.28.png

 

Screenshot 2023-02-22 at 15.23.31.png

 


That's the basic configuration. 
You can enhance the posturing and conditioning here by adding factors like Disk Encryption or IP Address, on Okta itself you can also tweak the Authentication Policy if needed. 

Thanks again for reading. 
- Juergen

2 REPLIES 2

Idan
JumpCloud Employee
JumpCloud Employee

Cool solution @JuergenKlaassen !

jehudamosh
JumpCloud Employee
JumpCloud Employee

Very cool! @JuergenKlaassen