Get Started: Federated Authentication

Easily onboard new users that have 黑料海角91入口 managed devices by integrating your existing Identity Provider (IdP) with 黑料海角91入口. This allows your users to securely access their devices by logging in with their IdP credentials.

Prerequisites

You need to have 黑料海角91入口 set up as an OIDC app in your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation to learn more:
You need to have Admin with Billing permissions to configure an IdP.
You need to have an existing IdP managing your users to benefit from federated authentication.
All 黑料海角91入口 users must have unique company email addresses, and the email of the 黑料海角91入口 user and external IdP email used for Federation have to match.

Considerations

Federated IdP authentication doesn鈥檛 capture the user鈥檚 IdP password. If Device Password Sync is set to NO, then users will be prompted to create a local passcode (password) on Mac or local PIN on Windows. If Device Password Sync is set to Yes, then 黑料海角91入口 will sync the 黑料海角91入口 password to the device and set it for the user account on the device.
Federation does not currently support authenticating with 黑料海角91入口 Go.
Federation does not currently support 黑料海角91入口 Multi-Factor Authentication (MFA) for users in addition to external IdP authentication. However, MFA may be applied at the IdP.
Features like device provisioning and local self service password reset is currently not supported on Linux.

Externally Managed Passwords

Externally managed passwords prevent password changes within 黑料海角91入口, both by users and admins. When users are set to Password Externally Managed, they will no longer receive password expiration notifications and password expirations will no longer apply to them.

Use this setting when a user鈥檚 password is being managed by an upstream integration or when they鈥檙e authenticating with an external identity provider (IdP).

Note: Once this setting is enabled, users will not be able to change their own password from their 黑料海角91入口 device tray application, User Portal, or any other password reset flow. Additionally, admins won鈥檛 be able to set user passwords from the Admin Portal.

Workflow

Prepare your IdP to configure with 黑料海角91入口.
- You will need to add 黑料海角91入口 as an application to your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation:
Configure your IdP in 黑料海角91入口.
- Verify that you want to enable Federated Device Authentication for your users鈥� login.
  - This will require all users to authenticate with their IdP.
Automatically bind users to devices by configuring Self Service Account Provisioning, or Automated Device Enrollment, based on whichever OS you鈥檙e provisioning, see Provision New Users on Device Login to learn more.
- Users logging into their device for the first time will use their IdP credentials to sign in. This also creates a local user on the device.
- By default, any new users that are associated with the device will automatically have their 黑料海角91入口 password synced to their device password. You can disable this so that any new user to device associations will not have their 黑料海角91入口 password synced to their device. Instead, the user will enter a local password to log into their device. See Device Password Sync to learn more.
- The 黑料海角91入口 account will be automatically bound to the 黑料海角91入口 device upon successful user login to the external IdP.
Optionally, restrict your user's password in 黑料海角91入口.
- Users won鈥檛 be able to set or update a password in 黑料海角91入口. Users won鈥檛 receive any password related communication or emails.
- Admins won鈥檛 be able to set or update a user鈥檚 password in 黑料海角91入口 either.
- Passwords can continue being synced from any SCIM or REST integration for this user.

Device Management Deployment Scenarios

Scenario 1: Device Management with an External IdP

Identity management is kept in your existing IdP. Identities are synced into 黑料海角91入口 for the purpose of IdP login. New users will set up and maintain a local passcode on their device. Existing users will maintain their existing passwords after they become managed by 黑料海角91入口. If the user forgets this passcode, it may be reset with an external IdP login. The passcode is stored locally on the device, reducing the risk of compromise and allowing for offline authentication. The user can log in to any web-based resources (like 黑料海角91入口鈥檚 User Portal, SSO apps, local account provisioning flows, etc.) with their IdP login.

User identities live, and are managed in an existing, external IdP like Azure AD, Google Workspace, or Okta.
Sync the user identities into 黑料海角91入口 using a Cloud Directory, or SCIM integration.
Once the users are synced, and are logging into their device for the first time, they鈥檒l be redirected to authenticate to the external IdP via 黑料海角91入口 federation.
The local user account will then be created on the device, and become managed by 黑料海角91入口.聽
The user will create a local passcode to access their device. This passcode can be reset from the login window by authenticating through the external IdP.

Device password: Local credentials

Zero Trust Controls: IdP

MFA: IdP

Scenario 2: Device Management with IdP Password Sync

Identity management is kept within your existing IdP. Identities are synced into 黑料海角91入口 for the purpose of IdP login. Passwords are also synced from your IdP into 黑料海角91入口 outside of the OIDC IdP login flow (which doesn鈥檛 capture the password). This password is synced to the user鈥檚 device, resulting in the IdP password, and the device password being in sync. Optionally, an IdP object can be configured allowing users to log in with their IdP credentials for web-based logins.

User identities live, and are managed in an existing, external IdP like Okta.聽
Sync the user identities into 黑料海角91入口 using a Cloud Directory, or SCIM integration.聽
Once the users are synced, and are logging into their device for the first time, they鈥檒l be redirected to authenticate to the external IdP via 黑料海角91入口 federation.聽
The local user account will then be created on the device, and become managed by 黑料海角91入口.聽
The user鈥檚 password is managed by the external IdP, and then synced to the 黑料海角91入口 account.聽
User password changes, and resets have to be done in the IdP.

Device password: IdP

Zero Trust Controls: IdP

MFA: IdP

Scenario 3: Device Management with 黑料海角91入口 Password Sync and External IdP Login

In this scenario, identity management is kept within your existing IdP. Identities are synced to 黑料海角91入口 for the purpose of IdP login. Users are also associated to a Cloud Directory integration. This enables 黑料海角91入口 to own the password, but your IdP to own the identity. Users can change their password from their device, allowing the password to be synced to 黑料海角91入口, and to their IdP. The user will log in with their IdP for web-based logins with the password that鈥檚 managed by 黑料海角91入口. Any Zero Trust, MFA, etc. controls will be enforced at the IdP login.

User identities live, and are managed in an existing, external IdP like Azure AD, or Google Workspace.聽
Sync the user identities into 黑料海角91入口 using a Cloud Directory, or SCIM integration.聽
Once the users are synced, and are logging into their device for the first time, they鈥檒l be redirected to authenticate to the external IdP via 黑料海角91入口 federation.聽
The local user account will then be created on the device, and become managed by 黑料海角91入口.聽
The user鈥檚 password is managed by 黑料海角91入口, or on the device itself, and then synced to the IdP.

Device password: 黑料海角91入口

Zero Trust Controls: IdP

MFA: IdP

FAQ

Will 黑料海角91入口 receive the IdP password?

No. During the federated login flow, 黑料海角91入口 does not capture the IdP password.

How does the user log in to their device?

Admins need to decide whether they want their users device passwords synced or not.
If password sync is set to No, then during the local account join, the user will be prompted to set a local passcode (Mac) or PIN (Windows). This is a local passcode to the device, which is not synced to or from 黑料海角91入口.

What 黑料海角91入口 resources support Federated Authentication?

Any resource that supports browser-based logins: User Portal, SSO apps, Self Service Account Provisioning, Mac ADE, and local password resets.

What 黑料海角91入口 resources do not support Federated Authentication?

Any resource that does not support browser-based logins: LDAP and RADIUS

How does a user on a device reset their local password when Password Sync is set to No?

Both Windows and Mac users can reset their PIN or local password from the device login window. See Windows/Mac Self-Service PIN/Password Reset for Local Password Users to learn more.

Should account lockout be configured in 黑料海角91入口?

Account lockout applies to all users in an organization. If all users will authenticate with an IdP, and therefore use a local device credential, the OS lockout mechanisms may be used. In this case, 黑料海角91入口 account lockout doesn鈥檛 need to be configured. However, even if 黑料海角91入口 account lockout is configured, it can be overridden for individual users on devices by navigating to USER MANAGEMENT > Users, clicking a specific user, then under the User Security Settings and Permissions dropdown, select Bypass account lockout policy for user鈥檚 managed device.

If 黑料海角91入口 account lockout is configured, how do I unlock a locked 黑料海角91入口 user account that corresponds to a local password account on a device?

Mac (and Windows): Admins can unlock the account in the Admin Portal, see Unlock User Accounts to learn more.

Can I configure Federation so that only some of the users in my organization authenticate with an IdP, while some authenticate with 黑料海角91入口?

Yes. You can create a routing policy to have specific groups of users required to authenticate through their IdP. See Routing Policies for Identity Providers to learn more.

Can I use the 鈥淲indows – Do Not Display Last Username on Logon Screen Policy鈥� with Federation?

Yes, however this will prevent the user self service password reset flow from functioning by obscuring the Self Service Account Provisioning option.

What happens when a Windows user attempts to enter a password as opposed to their PIN or biometric for login?

The user will not know their local account device password unless they explicitly set it after login with PIN or biometric. This will result in denied logins, and could lead to lockouts by the OS or on the 黑料海角91入口 account, if configured.

Do the 黑料海角91入口 Password Settings apply to the local device account password or PIN?

Windows: No. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).
Mac: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.

Can the Admin Portal be used to bind and unbind accounts to devices?

Yes, accounts can be manually bound to devices in the Admin Portal. Use the Password Sync dropdown to determine if the user's 黑料海角91入口 password will be synced to the device or not. For Federated accounts where the user logs into the device with a local password or PIN, set Password Sync to No.
Learn More

I configured an Identity Provider, and now I’m seeing errors when logging into the User Portal. How do I fix this?

This could be caused by an issue with the configuration for the Identity Provider on the 黑料海角91入口 side or on the OIDC Client App on the Identity Provider side. Check the details of your configuration, and make sure your client ID and secret are correct. It may be necessary to regenerate a new secret in your IdP and try the configuration again if the problem keeps happening.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case

黑料海角91入口