JumpCloud Community

This is an edited transcript of the 05.17.24 IT Hour

Overview

• Sam Morgan, Principal Product Manager, talks about the Delegated Auth with the JumpCloud Active Directory Integration 
• She also talks about some of the UI/UX improvements made to the process of setting up and updating the Active Directory Integration 

Transcript 

Delegated Authentication 

Sam: I’m here to talk about our Active Directory Integration and specifically I’m here to talk about some new capabilities we’re going to be releasing. They’re currently in beta and are around being able to delegate the user authentication to Advice Directory. I’ll dig into what that is but I’ll start with what we’re doing and how it’s different, and then federation and why people want this. Then I’ll share some changes we’re making to our Active Directory setup flow in the details page to make it easier to find the information you need and to get through the flow. 

So what is Active Directory Integration? It’s basically our Identity and Access Management integration that allows our customers to sync information either to or from or both ways between JumpCloud and Active Directory, specifically user and group information. It supports a variety of configurations that allow you to fill the need that you have, where that’s to leave AD as your primary directory and extend that out to the cloud or on a path to migration. 

What is delegated auth? I think there’s some confusion between delegation and federation and those two terms get conflated. In a federated scenario what happens is that you have a different Identity Provider and when you go to your login screen you get redirected to that other provider’s login flow. You go through the login process and then you return. 

In the case of Delegated Auth, JumpCloud remains the Identity Provider. So when you go to the login screen of the user portal or device, it would be no different than what it is today. But under the covers what’s happening is “Oh this person, we want to validate the credentials against Active Directory instead of our own system and then have that tell us that this user/credential is valid, so you can proceed with logging in and getting access to the resource that you’re trying to access.” Then we take you to the next step in the flow with successful validation. It’s also known as pass through authentication. Basically we just use another source under the cover instead of using our own system to validate the password. In the case of validation we don’t store the password. Basically there are some requirements that people sometimes have that they don't want another system to have access to that password. That’s the other benefit of delegated auth and how it differs from federated. 

So why do people want this and why do we care? Previously when you installed the Active Directory Integration and you were syncing user and group information from Active Directory to JumpCloud, you had to install the import agent on all your domain controllers, because that’s a requirement for Microsoft for us to be able to get and sync the password between those two systems. Now you don’t have to. You can install it on a domain joined member server and you don’t have to install it on all of them. So now it’s much easier. You just install it on a couple of member servers to make sure you have redundancy and off you go. 

The other benefit is that the user continues to use their existing on-premise Active Directory password and the IT Admin can manage passwords that they have within Active Directory. It allows Active Directory to remain the primary source of truth and the primary authentication source for those users and we can support that more easily now from an onboarding experience. Before, if you had a group of users that already existed in Active Directory and you were bringing them into JumpCloud you had this requirement to sync the password and they had to go in and change their password. So once we release this capability they can login and we'll validate that password against theirs so they don't have to change it, they just keep doing what they do. It makes that experience much better instead of saying “Oh we just brought JumpCloud into our ecosystem, that’s really awesome and good but you need to reset your password even if you just reset it five days ago.” 

It also makes it easier to extend your Active Directory to the cloud so you can do that transition more slowly and with less change management. It can act as an alternative to ADFS or some of the Okta solutions. And the latest use case that’s come up is we have some customers saying they’re in a multi forest environment. They have some of the forest off prem in Google Cloud and they have their on-prem and they basically don’t want to have to deploy the Active Directory Integration across all their forests. They just want to have their servers log the authentication on the server and delegate to their primary on-prem environment. This also facilitates that kind of bridge between those different forests with a lot less work in terms of installation and the integration with JumpCloud. 

So now you know the ‘why’ behind this and I didn’t show the experience because basically it would be no different than you logging into your user portal or device today, so not a very exciting demo. 

Enhanced Admin Portal UI/UX

I also want to talk about some enhancements that we’re making to complement these additional changes. We made these changes because right now when you finish getting your domain added to JumpCloud for the integration, we drop you onto the downloads page. And then every time you go back, you continue to go to the downloads page even though you’ve done the installation and the information you need is on a different tab. So we’re trying to bring all that more front and center, make it easier after you complete your installation to see the information you need to monitor the health of your integration and then have the actions you might need to do easily accessible but in lower prevalence on the screen. 

And there’s some things that we do that just happen in the background, so we’re trying to bring all of that to the forefront so you’re aware of what is on or off even if you can’t change it at least you have the understanding of what it is and how it could impact the behavior of the integration. Trying to make it a little bit more obvious when actions are needed. 

The other thing is if you’re going through a migration - Active Directory is my primary directory to start but I’m eventually going to migrate or reduce the footprint of Active Directory in my environment or eventually migrate off of it - you may need to change your Active Directory Integration configuration as you move through that journey. So now we’re going to have flows that help you move through that journey as well. 

So when you login and you say “I want to add an Active Directory Integration” we’re going to ask what you’re trying to do, where you want to manage your groups/passwords/users. Is it JumpCloud, Active Directory or both? Then we ask you for your domain and then we give you confirmation that says “okay, this is what you said, this means that the password is going to be managed in this directory and this is the way it’s going to sync”. If you choose JumpCloud then you say “Okay JumpCloud is going to be the password authority and the direction is going to be from JumpCloud to Active Directory” So we give you a visual of what it is and tell you the agents that you need for this deployment. If it’s a two way sync, you need both agents. If It's one or the other, we only show the download for one. 

Then you click Configure, you download those agents, you go off and do your stuff in Active Directory and then instead of being on the downloads tab, we say “okay here’s what it looks like in terms of what agents you have installed, whether they’re active/pending/inactive, whether there’s an update available”, some more information about the versions, the IP sources, you get to see all that front and center. Then if you need to do an update you’re going to have the ability to say “Hey I’m going to update my existing agents” which means you have less information that you’re going to need to enter. If you’re installing a new server we give you the full information that you need - like your connect keys, API keys, and org IDs. 

Then in the Integration section we’re going to bring forward the capabilities to either toggle on or off or that are set for your particular configuration - like managing groups, syncing those groups from JumpCloud to AD, or setting AD as the password authority so that no changes to the password can be made in JumpCloud. We’re bringing all those configurations forward so it’s more obvious what you can and can’t do. 

Back at the top there’s the Update Configuration button which is new. There’s some reminders of what your domain is, which directory is acting as the primary source of truth or if it’s a shared responsibility, and a reminder of the sync directions. Then if you’re ready to change your configuration, say you’re bidirectional and you want JumpCloud to be the sole authority, you can update your configuration. Click the button, it’ll show you your current configuration and then you have two options to choose from. Once you select that we’ll show you what your previous configuration is and what your updated configuration is and we’ll have some reminders around uninstalling extra agents and reminders for next steps and then confirmation. If you need to install a new agent we’ll show you what that agent is and remind you how this change might impact your users. 

For example if you had the passwords and attributes locked down and you’re moving to a more flexible option where they can be changed in JumpCloud, we’ll say “Hey we’re going to update all your associated users that they can make changes to their password in JumpCloud, which they couldn’t do before.”. If you’re going the other way where you previously allowed users to change their passwords and now you don’t want to do that, we’ll update them so that they’re no longer allowed to update their passwords in JumpCloud and it’s restricted to changes in Active Directory. So just more communication, more automation. Before, it was an API call that you had to make, run a PowerShell script etc. now we’re going to do a lot of that heavy lifting for you.