Admins may have a case where they need certain users to access two separate 黑料海角91入口 accounts in order to access different resources. You can allow a user to log in with the same account and credentials in both 黑料海角91入口 organizations. You鈥檒l have to create 黑料海角91入口 as an Identity Provider, and configure a handful of other things to enable this correctly.
Prerequisites:
- You need to have two separate 黑料海角91入口 orgs.
- This can be applied to both individual admin orgs and MSP tenant orgs.
Considerations:
- For the purpose of this help article, the two organizations being mapped to each other are referred to as Primary org and Secondary org.
- If you are a federated user that doesn鈥檛 need to access a secondary org all the time, you can still log in to your primary orgs admin portal using your primary orgs credentials.
Workflow:
- Create a custom attribute for the user within the Primary org.
- Create a user in the Secondary org.
- Create User Groups for both the Identity Provider (IdP) and the OIDC app.
- Create an OIDC app in the Primary org.
- Create an IdP in the Secondary org.
- Create a Routing Policy for the IdP in the Secondary org.
- Log in to the .
Tip: Log in to both of the tenant orgs before starting so you can easily go back and forth between the two.
Creating a Custom Attribute for the User Within the Primary Org
To create a custom attribute in the Primary org:
- Log in to the Primary orgs 黑料海角91入口 admin portal.
- Go to USER MANAGEMENT > Users.
- Click on the user you want to create a custom attribute for.
Note: This user needs to have an Active password.聽
- Under Custom Attributes, you will map the user in this Primary org to a corresponding user in the Secondary org.
- For Attribute Name, this can be any name within the Primary org (ex: SecondaryEmail).
- It doesn鈥檛 matter what this attribute is called, as long as it鈥檚 named the same thing in the Secondary org for the mapping in the OIDC app.
- For Attribute Value, copy the Company Email from above and add the alias that the user will be logging in with to the end of it.
- For example: [email protected]
- Copy the Attribute Value to your clipboard, because you鈥檒l need it again shortly.
- Click save user.
Now, you鈥檒l have to create a corresponding user in the Secondary org.
Creating a Corresponding User in the Secondary Organization
To create a user in the Secondary org:
- Log in to the Secondary orgs admin portal.
- Go to USER MANAGEMENT > Users.
- Click the green ( + ) to add a new user.
- Under Details > User Information, enter the required Username and then copy paste the Attribute Value that you copied to your clipboard from the previous org into the Company Email field.
- Under Custom Attributes, you will map the user in the Primary org to this Secondary org. Enter the Attribute Name and then paste the Company Email in the Attribute Value field.
- Click save user.
Now there are corresponding users in each org.
Creating a User Group in the Secondary Organization
To create a user group in the Secondary org:
- From the Secondary orgs admin portal, go to USER MANAGEMENT > User Groups.
- Click the green ( + ) to add a new User Group.
- Under Details > Group Configuration, enter a Name for the user group.
- For example: Federated Users to the Primary Org
Note: The following membership controls are a suggested use case. You can enter your own conditions as you see fit for your org.聽
- Under Membership Controls, select Dynamic then click the Attribute dropdown and select Company Email.
- Click the Operator dropdown and select ends with.
- Under the Value field, enter the email value that you want the user group to include. Anyone with this email value in their email address will be included in this user group.
Tip: Click Preview to verify the user group information before saving.
- Click save. See Configure Dynamic User Groups to learn more.
Creating an OIDC Application in the Primary Organization
- From the Primary orgs admin portal, go to USER AUTHENTICATION > SSO Applications.
- Click Get Started, or + Add New Application if you鈥檝e already configured an SSO app in the past.
- Under Custom Application, click select.
- Next, select the features you would like to enable, click Manage Single Sign-On (SSO), then select Configure SSO with OIDC.
- Click Next.
- Under Enter general info > Display Label, enter a name for the app.
- For example: OIDC for Secondary Org
- Under Show in User Portal, uncheck the Show this application in User Portal option.
- Click Next.
- On the next page, confirm the details, then click Configure Application.
- On the New Application page, under the SSO tab, you need to paste the following URL in the Redirect URIs field: https://login.jumpcloud.com/oauth/callback
- Keep the Client Authentication Type as the default selection of Client Secret Post.
- Under Login URL, enter
- Under Attribute Mapping > USER ATTRIBUTE MAPPING, click Add Attribute.
- Enter an 鈥渆mail鈥 in the Service Provider Attribute Name, this is going to be the email address of the user in the Secondary org.
- Under 黑料海角91入口 Attribute Name, enter the name of the custom attribute that you entered for the user in the steps above.
Important: The name of the custom attribute must exactly match with the name of the custom attribute name on the user.聽
- Click activate.
- You鈥檒l receive an Application Saved modal with very important information on it. Click Copy next to Client ID and Client Secret and save them somewhere secure, like a password manager. See 黑料海角91入口 Password Manager for Admins to learn more.
- Then, click Got It. You will need to enter these when configuring the IdP in the Secondary org.
- From the Configured Applications page, click on the app, then click the User Groups tab.
- Select the user group that you just created in the previous section, then click save.
Creating 黑料海角91入口 as an IdP in the Secondary Organization via the API
To create 黑料海角91入口 as an IdP:
- Now, in another tab, go to your preferred API client, like Postman.
- The following API call is an example, adapt the code for your preferred API client:
URL: POST https://console.jumpcloud.com/api/v2/identity-providers
Header: content-type: application/json
Header x-api-key: {Your API Key}
Body:
{
"name": "{Example: Primary 黑料海角91入口 Org}",
"oidc": {
"clientId": "{Client ID from Primary org's OIDC app}",
"clientSecret": "{Client Secret from Primary org's OIDC app}",
"url": "https://oauth.id.jumpcloud.com"
},
"type": "OIDC"
}
- Click Send.
Adding 黑料海角91入口 as an IdP in the Secondary Organization
To add 黑料海角91入口 as an IdP:
- From the Secondary orgs admin portal, go to DIRECTORY INTEGRATIONS > Identity Providers.
- Refresh the page, and you will be redirected to the configured OIDC Primary 黑料海角91入口 Org that you set up in the section above.
Add a Routing Policy from the Secondary Organization to the Primary Organization
To add a routing policy:
- From the Secondary orgs OIDC Identity Provider Configuration page, under Authentication, click + Routing Policy.
- Under General Info, enter a Policy Name. The Description is optional.
- Under Assignment > User Groups, select the Federated Users to the Primary Org user group that you created in the Secondary org.
- Under Identity Provider Routing, make sure the User Authentication With is set to Primary 黑料海角91入口 Org.
- Click Create. You鈥檒l receive a confirmation that the routing policy was created.
- Now, the routing policy will require anyone in that user group to authenticate with the Primary 黑料海角91入口 Org as an IdP.
Set the User鈥檚 Password Authority as Federated
Note: This is an optional, but highly recommended step.
To set the user as federated:
- From the Secondary orgs admin portal, go to USER MANAGEMENT > Users.
- Click on the federated user, then click the Details tab.
- Under Security Settings and Permissions, click the Password Authority dropdown and select Federated Identity Provider.
- Click save user.
- This will update the user鈥檚 Password Status on the Users list page. It will say, Federated Managed by External IdP. Now, the user won鈥檛 be able to change their own password.
Logging in to the 黑料海角91入口 User Portal using another 黑料海角91入口 org as an IdP
To log in to your Secondary org using your Primary org as an IdP:
- Make sure you are logged out of any 黑料海角91入口 User Portal sessions
- From the 黑料海角91入口 User Login page, enter the user鈥檚 Email for the Secondary org.
- Click Continue.
- You鈥檒l be redirected to the Primary orgs Log in to your application using 黑料海角91入口 page.
Important: The previous email will be autofilled. You need to remove the additional login alias from the end of the user鈥檚 Primary orgs login email.聽
- Click Continue.
- Enter the Password for the Primary org, then click SSO Login.
- You鈥檒l be logged in to the 黑料海角91入口 user portal for the Secondary org.
Now, you have federated users in the Secondary org that can login in with their Primary account.