defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Enterprise Features
  2. Enteprise features
  3. External OpenID providers

JumpCloud

PreviousKeycloakNextOkta

Last updated 4 months ago

Was this helpful?

  1. Login to your JumpCloud admin account.

  2. Navigate to SSO Applications\

  3. Add a new SSO Application

  4. Select "Custom" on this screen\

  5. Select "Configure SSO with OIDC"\

  6. Fill the app's display label in the next form.\

  7. After finishing this configuration you will be redirected to your newly created SSO Application's settings. Go to the "SSO" tab first.\

  8. Configure as following:

    Make sure to set the correct Redirect URI and Login URL that will reflect your Defguard's setup. If you access your Defguard dashboard at e.g. https://defguard.example.net your redirect URI will be https://defguard.example.net/auth/callback and the login URL https://defguard.example.net/auth/login. Additionally, if you are using a Defguard proxy to enroll users, you can also add another redirect URI in the form of <DEFGUARD_ENROLLMENT_URL>/openid/callback, where the <DEFGUARD_ENROLLMENT_URL> is the address at which your proxy enrollment page is accessible.

  9. Next, select the profile scope and add an email user attribute mapping by hand, like so:\

    It's important not to select the email standard scope checkbox, as it will automatically add a constant email_verified field which doesn't conform to the OpenID standard and doesn't work with Defguard. You can see the following section for more information: .

  10. Click "Activate". You will be presented with a client ID and a secret. Copy both of them, as you will need to insert them in Defguard's settings.

  11. Go to Defguard settings, OpenID tab, select a Custom provider tab and paste the copied values:\

    Set the base URL to https://oauth.id.jumpcloud.com/. The display name may be whatever you want.

  12. Back in JumpCloud, make sure your users have access to the SSO Application. You can enable it by navigating to the User groups menu and selecting the group you want to enable logging in through JumpCloud for. Only users from this group will be able to login to Defguard with JumpCloud. In this example, we will select the All users group, which is a dynamic group containing every user.

  13. Now in the group settings menu, select the Applications tab and select the checkbox next to your newly created app, this will enable the app for that group. Click Save group when you finish.\

  14. Now you should be able to login to Defguard with JumpCloud.

JumpCloud