The Bob (HiBob) integration automates user creation, updates, and deprovisioning in JumpCloud based on events that occur in Bob. The automation creates efficiencies for IT and HR by reducing manual processes related to onboarding new hires, role changes, and offboarding. It also reduces security concerns related to manual data entry and access based on outdated user data.
Read this article to learn how to configure the Bob Integration.
Prerequisites
- A JumpCloud administrator account.
- JumpCloud SSO Package or higher or SSO add-on feature.
- A JumpCloud API key to connect Bob and JumpCloud.
- Administrator account in Bob.
- If you will be configuring SSO, request your company ID from HiBob support.
Important Considerations
- We recommend creating a separate JumpCloud administrator account to generate the JumpCloud API key for this integration.
- To use the staged user state in JumpCloud, contact the HiBob’s support team and ask them to change the default behavior.
- We recommend setting your user state default to Staged to make it easier to identify users who have been imported and to complete the onboarding process without granting access. You can learn more about the Staged user state at Manage User States.
- By default, the Bob integration will only create the user in an active or suspended (inactive) user state unless they change this default behavior.
- We recommend setting your user state default to Staged to make it easier to identify users who have been imported and to complete the onboarding process without granting access. You can learn more about the Staged user state at Manage User States.
- Bob users created before the JumpCloud integration was configured will be synchronized in JumpCloud once one of the mapped properties is updated for those users in Bob.
- Bob users not in JumpCloud will be created.
- Bob users who have already been created in JumpCloud will be updated.
- You can request HiBob’s support team to trigger an all employees’ synchronization to JumpCloud.
- The Bob integration is managed and supported by the HiBob team. Please contact the HiBob support team first if you encounter issues with the integration.
- We recommend that you do not set a default password in Bob. Setting a default password prevents you from being able to send a welcome email allowing the user to set their own password. You can set one later in JumpCloud if needed.
Configuring the Identity Management Integration
To get your JumpCloud API Key
Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.
Once a new API key is generated, this revokes access to the current API key.
- Log in to the JumpCloud Admin Portal with the administrator account you want to use to generate the API key for this integration.
- Click your initials in the top right corner.
- Select My API Key.
- Click on Generate New API Key.
- Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.
This is the only time your API key will be visible to you. Store it somewhere safe, such as the JumpCloud Password Manager, so you can access it later.
To configure the JumpCloud default user state
Review Manage User States for more information.
- Log in to the JumpCloud Admin Portal.
- Navigate to Users > Settings.
- Set Manual / Single User API and CSV Import / Bulk User API Import values to the default user state you prefer for users created by the integration
- Click Save.
To configure the JumpCloud integration in Bob
Review Bob's JumpCloud integration for more information.
- Login to Bob with an administrator account.
- From the left menu, select Settings > Integrations.
- In the Provisioning category, select the JumpCloud thumbnail.
- Enter your JumpCloud API token.
- Click Save.
- Select when you want users created in JumpCloud:
- On profile creation in Bob.
- On start date.
- Before start date.
- Select the users to be synced to JumpCloud:
- All Employees.
- Users meeting a certain condition, or a chosen set of users.
- The list can be further filtered to users whose work email address matches a specified domain(s).
- Select the value for What status do users in Jumpcloud start with? This controls in which user state a user is created. The choices are:
- Inactive until start date – creates users in the suspended user start and the automatically changes the user state to active them on their start date. Resources cannot be assigned to users when they are in a suspended user state in JumpCloud.
- Active – creates users in the active user state. User have access to all assigned resource when they are in an active user state.
- Inactive – creates users in the suspended user state.
If you want user created in the Staged user state, which is recommended, you must contact Bob support and have that option enabled.
- Click Save.
- Select your data mapping and click Save. Refer to the Bob help center article for more information.
Bob User Attributes
Bob Field Name | JumpCloud Attribute | JumpCloud UI Field Name | Notes |
---|---|---|---|
username | Username | Defaults to first part of email address (everything before the @ symbol). This is a required field in JumpCloud. If a user already exists in JumpCloud with a matching email, the Username for that user will not be overwritten by Bob. | |
First name | firstname | First Name | |
Surname | lastname | Last Name | |
Middle name | middlename | Middle Name | |
Display name | displayname | Display Name | |
Work phone | phonenumbers[{type:work}] | Work Phone | |
Work mobile | phonenumbers[{type:cell}] | Work Cell | |
Title | jobTitle | Job Title | |
Department | department | Department | |
Employee ID | employeeIdentifier | Employee ID | |
Site | location | Location | |
Employment type | employeeType | Employee Type | |
Employee status | state | User state | This is a calculated field. For new active users, the user state will be set based on the JumpCloud organization setting. |
Syncing Users
- Users are automatically created in JumpCloud when new hires are added to Bob
- Users are automatically updated when changes are made to employee profiles.
- User are automatically deactivated in JumpCloud when employees leave the company if the Deactivation option is enabled.
- A manual sync can be triggered at any time
- Login to Bob with an administrator account.
- From the left menu, select Settings > Integrations.
- In the Provisioning category, click Manage the JumpCloud thumbnail.
- Scroll down to the Manual Syncs section.
- Click Sync Now.
- You can download the manual sync results
- You can see the status of each record in the Synced Records section.
User Sync Troubleshooting
You can see the status of each user record for which a sync was attempted in the Synced user section. If there was a failure, click on the stacked ellipses menu and choose details. A window will show detailed error message information.
Configuring the SSO Integration
To configure JumpCloud
Read the SAML Configuration Notes KB before you start configuring the connector.
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application, search for the application and click configure.
- In the General Info tab, enter a name for the app in the Display Label field, (e.g., Bob).
- Click activate then continue.
- Search for and select the application in the Configured Applications list, select it and then select the SSO tab.
- In the ACS URLs section, replace “YOUR_ID” with your company ID provided by HiBob support. https://app.hibob.com/api/saml/callback?client_name=samlYOUR_ID (e.g., https://app.hibob.com/api/saml/callback?client_name=saml9827983742).
- Make sure that Declare Redirect Endpoint is checked.
- In the field terminating the IdP URL field, either leave the default value or enter a plaintext string unique to this connector.
- Select save.
- Open the Bob app you just activated and click the SSO tab.
- Click Export Metadata.
To configure Bob
- Provide HiBob support the exported Metadata file to setup SSO on the HiBob side.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO authentication workflow(s)
IdP Initiated
- Access the JumpCloud User Console.
- Select the application’s tile.
- The application will launch and login the user.
SP Initiated
- Navigate to your Service Provider application URL.
- You will be redirected to log in to the JumpCloud User Portal.
- The browser will be redirected back to the application and be automatically logged in.
Removing the Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO or Deactivate Bookmark.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.