Skip to content

User Authentication with JumpCloud

Our JumpCloud authentication authority lets you log users in at the agent with your existing JumpCloud tenant. Using JumpCloud with Enclave means you can:

  • Use any MFA mechanism supported by JumpCloud for authentication.
  • Apply JumpCloud Conditional Access Policies to user logins.
  • Require JumpCloud-enrolled device membership as well as Enclave enrollment for machine identity.

Create the JumpCloud SSO Application

The first step is to login to your JumpCloud admin console, and select SSO Applications from the left-hand menu.

Then click Add New Application. You will be presented with a screen of "Featured Applications", but you should select Custom Application.

New custom app

When asked to select the features to enable for the application, select Manage Single Sign-On, and choose Configure SSO with OIDC:

Select SSO and OIDC

On the next screen, provide a display name for this application ('Enclave', for example), and optionally use this image file as a logo for the application.

Untick the Show in User Portal option, to avoid confusing users, since they cannot initiate login to the Enclave Agent from within the JumpCloud portal.

General Settings

Continue to configure the application within JumpCloud, and set up the OpenID Connect Configuration. Set the following values in the SSO tab:
Grant Type Enable Refresh Token
Redirect URIs Specify two URIs:
- http://localhost:45719/
- enclave-app://agent-auth
Client Authentication Type Select Public (None PKCE)
Login URL Set to https://enclave.io; this value is never actually used, since the app isn't shown in the user portal
Attribute Mapping Enable the Email and Profile standard scopes

OIDC Options

Once you press Activate, you will be given a Client ID. Copy this, because you will need it to create your Trust Requirement.

The Client ID

Creating your Trust Requirement

Now we have all the JumpCloud configuration set up, we can create our Enclave Trust Requirement.

When defining a new User Authentication Trust Requirement in the Enclave Portal, select JumpCloud from the Authority dropdown, and provide the Client ID you collected in the previous step.

JumpCloud Trust Requirement

Once you press Save you can start using your JumpCloud Trust Requirement in an Enclave Policy. Your users will then be prompted to login and will be sent to your JumpCloud tenant for authentication.