{"id":888,"date":"2025-04-23T02:39:33","date_gmt":"2025-04-23T02:39:33","guid":{"rendered":"https:\/\/www.rajeshkumar.xyz\/blog\/?p=888"},"modified":"2025-04-23T02:39:34","modified_gmt":"2025-04-23T02:39:34","slug":"comprehensive-cross-domain-sso-integration-parentcomp-okta-%e2%86%94-subcomp-jumpcloud","status":"publish","type":"post","link":"https:\/\/www.rajeshkumar.xyz\/blog\/comprehensive-cross-domain-sso-integration-parentcomp-okta-%e2%86%94-subcomp-jumpcloud\/","title":{"rendered":"Comprehensive Cross-Domain SSO Integration: ParentComp (Okta) \u2194 SubComp (JumpCloud)"},"content":{"rendered":"\n<p>This document explores multiple feasible and industry-validated approaches to integrate Single Sign-On (SSO) between a parent company (ParentComp using Okta) and a subsidiary (SubComp using JumpCloud). The key requirement is:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Employees of ParentComp must be able to access SubComp-managed apps without creating accounts in JumpCloud. They must continue using Okta as their Identity Provider (IdP).<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p>SubComp employees should continue using JumpCloud as their IdP.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Approach 1: <strong>SAML Federation (JumpCloud trusts Okta as IdP)<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"413\" src=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3-1024x413.png\" alt=\"\" class=\"wp-image-889\" srcset=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3-1024x413.png 1024w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3-300x121.png 300w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3-768x310.png 768w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3-1536x620.png 1536w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-3.png 1933w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 How It Works:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JumpCloud is configured as a SAML Service Provider (SP).<\/li>\n\n\n\n<li>Okta acts as the Identity Provider (IdP) for ParentComp.<\/li>\n\n\n\n<li>JumpCloud delegates auth to Okta when a ParentComp user accesses a resource.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Pros:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standards-based and secure (SAML 2.0).<\/li>\n\n\n\n<li>Keeps ParentComp and SubComp identity stacks separate.<\/li>\n\n\n\n<li>Minimal friction for users (SSO).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c Cons:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Requires JIT provisioning or user mapping.<\/li>\n\n\n\n<li>JIT creates users at login but doesn&#8217;t allow for pre-configuration.<\/li>\n\n\n\n<li>Manual or programmatic mapping still required inside JumpCloud.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Real-world Viability:<\/h3>\n\n\n\n<p>Yes \u2013 This is a common enterprise federation pattern. Validated in multi-org SAML setups.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Approach 2: <strong>SCIM Provisioning + SAML Federation (Best for Lifecycle Management)<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"413\" src=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4-1024x413.png\" alt=\"\" class=\"wp-image-890\" srcset=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4-1024x413.png 1024w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4-300x121.png 300w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4-768x310.png 768w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4-1536x620.png 1536w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-4.png 1933w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 How It Works:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Okta provisions users into JumpCloud via SCIM.<\/li>\n\n\n\n<li>JumpCloud still delegates authentication to Okta via SAML.<\/li>\n\n\n\n<li>Ensures users exist in JumpCloud before login.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Pros:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Full user lifecycle management (create, update, delete).<\/li>\n\n\n\n<li>Roles and groups can be pre-assigned in JumpCloud.<\/li>\n\n\n\n<li>Cleanest integration path with most control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c Cons:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Requires SCIM licensing in both Okta and JumpCloud.<\/li>\n\n\n\n<li>More setup effort upfront.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Real-world Viability:<\/h3>\n\n\n\n<p>Yes \u2013 This is used extensively by large organizations integrating multiple IdPs. Supported by both platforms.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Approach 3: <strong>Using a Federation Broker (Auth0, AWS Cognito, Keycloak)<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"404\" src=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5-1024x404.png\" alt=\"\" class=\"wp-image-891\" srcset=\"https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5-1024x404.png 1024w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5-300x118.png 300w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5-768x303.png 768w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5-1536x605.png 1536w, https:\/\/www.rajeshkumar.xyz\/blog\/wp-content\/uploads\/2025\/04\/image-5.png 1979w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 How It Works:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A broker sits in the middle and federates with both Okta and JumpCloud.<\/li>\n\n\n\n<li>SubComp apps authenticate users via the broker.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Pros:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supports multiple IdPs cleanly.<\/li>\n\n\n\n<li>Flexible control for complex multi-tenant setups.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c Cons:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Adds a third-party dependency.<\/li>\n\n\n\n<li>Increased operational complexity.<\/li>\n\n\n\n<li>Not ideal for simpler two-org setups.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Real-world Viability:<\/h3>\n\n\n\n<p>Yes \u2013 Popular with SaaS companies managing tenant-specific IdPs. Overkill for internal integration.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Approach 4: <strong>OIDC Federation (Advanced Custom Trust)<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/files09.oaiusercontent.com\/file-9WVRBJxCctJf2L2N6GiR5u?se=2025-04-23T02%3A40%3A36Z&amp;sp=r&amp;sv=2024-08-04&amp;sr=b&amp;rscc=max-age%3D299%2C%20immutable%2C%20private&amp;rscd=attachment%3B%20filename%3D517b8b7b-f06d-4801-94ad-9d7968ac1dce&amp;sig=0y3xCTO0JcmWQvIrh4U3wvfjetaJnsFAqZOvU4kch8U%3D\" alt=\"Output image\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 How It Works:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JumpCloud or its apps support OpenID Connect (OIDC) federation with Okta.<\/li>\n\n\n\n<li>Token-based trust validation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Pros:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modern identity standard (OIDC).<\/li>\n\n\n\n<li>Enables fine-grained control over API access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c Cons:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not natively supported out of the box for JumpCloud.<\/li>\n\n\n\n<li>Requires app-level OIDC config or reverse proxies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Real-world Viability:<\/h3>\n\n\n\n<p>Possible but requires app-level customization. Rare in JumpCloud + Okta direct setups.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u274c Approach 5: <strong>Direct Integration to SubComp Apps (Bypassing JumpCloud)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 How It Works:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SubComp apps are configured to trust Okta directly.<\/li>\n\n\n\n<li>Each app must determine which IdP to use.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Pros:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fastest direct login route.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c Cons:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bypasses JumpCloud\u2019s policies and access controls.<\/li>\n\n\n\n<li>Management burden increases drastically per app.<\/li>\n\n\n\n<li>Duplicates IdP logic and breaks central control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Real-world Viability:<\/h3>\n\n\n\n<p>Technically feasible, but poor design for long-term control. Not recommended.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u274c Approach 6: <strong>Full Migration to Okta (Unified IdP)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 How It Works:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SubComp migrates to Okta completely.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Pros:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized identity control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u274c Cons:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Violates the requirement to keep JumpCloud for SubComp.<\/li>\n\n\n\n<li>Involves large migration effort and user disruption.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Real-world Viability:<\/h3>\n\n\n\n<p>Yes \u2013 but <strong>not<\/strong> aligned with the stated requirement.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Final Recommendation:<\/h2>\n\n\n\n<p><strong>Use SAML Federation with SCIM Provisioning<\/strong> between Okta (ParentComp) and JumpCloud (SubComp). This offers the best mix of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Seamless SSO<\/li>\n\n\n\n<li>User lifecycle control<\/li>\n\n\n\n<li>Role-based access via groups<\/li>\n\n\n\n<li>Standards-based interoperability<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Implementation Checklist:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm JumpCloud supports external SAML IdPs (Yes).<\/li>\n\n\n\n<li>Enable SCIM provisioning in Okta and JumpCloud.<\/li>\n\n\n\n<li>Configure SAML attribute mappings and group assignments.<\/li>\n\n\n\n<li>Test end-to-end login, JIT creation, and policy enforcement.<\/li>\n\n\n\n<li>Document access policies for ParentComp users in JumpCloud.<\/li>\n<\/ul>\n\n\n\n<p>This approach allows both companies to retain control over their identity systems while enabling secure cross-access and future scalability.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Approach<\/strong><\/td><td><strong>Authentication Flow<\/strong><\/td><td><strong>User Creation<\/strong><\/td><td><strong>IdP Used by ParentComp<\/strong><\/td><td><strong>IdP Used by SubComp<\/strong><\/td><td><strong>Pros<\/strong><\/td><td><strong>Cons<\/strong><\/td><td><strong>Viability<\/strong><\/td><\/tr><tr><td><strong>1. SAML Federation<\/strong><\/td><td>Okta \u2192 SAML \u2192 JumpCloud<\/td><td>JIT or Manual Mapping<\/td><td>Okta<\/td><td>JumpCloud<\/td><td>Simple SSO with JIT; standards-based<\/td><td>Requires JIT setup; no pre-assignments<\/td><td>\u2705 Recommended<\/td><\/tr><tr><td><strong>2. SCIM + SAML Federation<\/strong><\/td><td>SCIM (Okta \u2192 JumpCloud) + SAML Login<\/td><td>SCIM Provisioning<\/td><td>Okta<\/td><td>JumpCloud<\/td><td>Full lifecycle + clean SSO<\/td><td>More setup; needs SCIM licenses<\/td><td>\u2705 Most Robust<\/td><\/tr><tr><td><strong>3. Identity Broker<\/strong><\/td><td>Broker mediates between Okta and JumpCloud<\/td><td>Depends on Broker Setup<\/td><td>Okta (via Broker)<\/td><td>JumpCloud (or Broker)<\/td><td>Multi-IdP support; flexible<\/td><td>Extra infra; complex routing<\/td><td>\u26a0\ufe0f Complex but Possible<\/td><\/tr><tr><td><strong>4. OIDC Federation<\/strong><\/td><td>OIDC token from Okta to App<\/td><td>Manual \/ API Mapping<\/td><td>Okta<\/td><td>JumpCloud-compatible App<\/td><td>Token-level granularity<\/td><td>Custom app config needed<\/td><td>\u26a0\ufe0f App-dependent<\/td><\/tr><tr><td><strong>5. Direct App Integration<\/strong><\/td><td>Each App trusts Okta directly<\/td><td>None or per-app logic<\/td><td>Okta<\/td><td>Bypassed<\/td><td>Direct path, no intermediary<\/td><td>Bypasses JumpCloud controls<\/td><td>\u274c Not Scalable<\/td><\/tr><tr><td><strong>6. Full Migration to Okta<\/strong><\/td><td>JumpCloud users migrated to Okta<\/td><td>Full migration<\/td><td>Okta<\/td><td>Not Used<\/td><td>Centralized identity system<\/td><td>Breaks current JumpCloud usage<\/td><td>\u274c Violates Requirements<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>This document explores multiple feasible and industry-validated approaches to integrate Single Sign-On (SSO) between a parent company (ParentComp using Okta) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-888","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts\/888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/comments?post=888"}],"version-history":[{"count":1,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts\/888\/revisions"}],"predecessor-version":[{"id":892,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/posts\/888\/revisions\/892"}],"wp:attachment":[{"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/media?parent=888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/categories?post=888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajeshkumar.xyz\/blog\/wp-json\/wp\/v2\/tags?post=888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}