User Authentication with JumpCloud¶
Our JumpCloud authentication authority lets you log users in at the agent with your existing JumpCloud tenant. Using JumpCloud with Enclave means you can:
- Use any MFA mechanism supported by JumpCloud for authentication.
- Apply JumpCloud Conditional Access Policies to user logins.
- Require JumpCloud-enrolled device membership as well as Enclave enrollment for machine identity.
Create the JumpCloud SSO Application¶
The first step is to login to your JumpCloud admin console, and select SSO Applications from the left-hand menu.
Then click Add New Application. You will be presented with a screen of "Featured Applications", but you should select Custom Application.
When asked to select the features to enable for the application, select Manage Single Sign-On, and choose Configure SSO with OIDC:
On the next screen, provide a display name for this application ('Enclave', for example), and optionally use this image file as a logo for the application.
Untick the Show in User Portal option, to avoid confusing users, since they cannot initiate login to the Enclave Agent from within the JumpCloud portal.
Continue to configure the application within JumpCloud, and set up the OpenID Connect Configuration. Set the following values in the SSO tab:
Grant Type | Enable Refresh Token |
Redirect URIs | Specify two URIs: - http://localhost:45719/ - enclave-app://agent-auth |
Client Authentication Type | Select Public (None PKCE) |
Login URL | Set to https://enclave.io; this value is never actually used, since the app isn't shown in the user portal |
Attribute Mapping | Enable the Email and Profile standard scopes |
Once you press Activate, you will be given a Client ID. Copy this, because you will need it to create your Trust Requirement.
Creating your Trust Requirement¶
Now we have all the JumpCloud configuration set up, we can create our Enclave Trust Requirement.
When defining a new User Authentication Trust Requirement in the Enclave Portal, select JumpCloud from the Authority dropdown, and provide the Client ID you collected in the previous step.
Once you press Save you can start using your JumpCloud Trust Requirement in an Enclave Policy. Your users will then be prompted to login and will be sent to your JumpCloud tenant for authentication.