Recently, as part of one of the projects, we had the opportunity to integrate JumpCloud with Azure AD. The integration was aimed at facilitating user management and introducing the so-called SSO (Single Sign-On) with one authentication point. And today, we’d like to share this knowledge with you.
What is Single Sign-On?
SSO is an authentication mechanism that allows a user to log in to many independent IT systems with a single identifier. In this case, single authentication provides access to multiple applications by passing an authentication token to configured applications.
The benefits of using Single Sign-On are primarily increased security and easier user management. With SSO, users have to remember fewer passwords which translates directly into having more complex and non-duplicate ones. Thanks to one point of authentication, administrators have easier login verification (logs from one place) as well as user management (less password reset requests, greater certainty that all accesses have been taken when disabling the account).
Preparing JumpCloud as an authentication point
Coming back to our case – we selected JumpCloud as the authentication point because of the possibility of introducing MFA (Multi-Factor Authentication) for all users at no additional cost, as well as a clear user management interface.
We started the entire process with user verification in both Azure AD (AAD) and JumpCloud. It was important to make sure that all users have the email attribute completed correctly in both tenats.
Another issue was the creation of a new technical account with Global Admin privileges in the AAD tenant. This user is responsible, inter alia, for the synchronization process between tenats.
Next, we set *.onmicrosoft.com as the primary AAD domain.
As far as JumpCloud is concerned, we have prepared an appropriate group in order to maintain control of the accounts that were to be synchronized.
Launching the service
When the preparations are completed, we are able to turn on the service.
- After logging into the JumpCloud administration console, go to: User Authentication> SSO, click the “+” sign and select the appropriate application for which you want to add SSO.
- At this point, which may be a bit confusing, choose Microsoft 365 (there is no direct indication of Azure AD).
- In the SSO tab, fill in the name of your domain in the appropriate places (IdP Entity ID and Login URL) and then indicate the groups to be synchronized.
- After activating SSO, enter your application into the edit mode and download the certificate generated by JumpCloud.
- Staying in the console, go to Directory Integrations> Cloud Directory Integrations, click “+” and after selecting M365 / Azure AD, configure the attributes and users for synchronization.
- At this point, we only need to federate between AAD and JumpCloud. For this purpose, we use the following PowerShell script:
Connect-MsolService -Credential $cred
Set-MsolDomainAuthentication -DomainName $domain -FederationBrandName $domain -Authentication Federated -IssuerUri $issuerUri -LogOffUri $logoutUrl -PassiveLogOnUri $idpUrl -ActiveLogOnUri $idpUrl -SigningCertificate $certificate -PreferredAuthenticationProtocol SAMLP
- As a “certificate” paste the contents of the certificate, first removing all white characters.
- After executing the script, we can check if the federation is set using the command: Get-MsolDomain
If everything has been done correctly, we need to be patient. According to the documentation, the synchronization process may take up to 2 hours, and in extreme cases up to 24 hours.
To sum up, we managed to integrate JumpCloud with AAD in a fairly simple way and thus improve the security and comfort of both users and administrators.