Streamline user lifecycle management for your organization by connecting any generic Service Provider (such as an HRIS provider or other user directory) with JumpCloud using JumpCloud's SCIM API. This type of integration can enable real-time user data syncing from the Provider to JumpCloud, automating user creations, updates, and suspensions in JumpCloud based on updates made in the Service Provider.
This integration lets you manage your organization’s user identities in the Service Provider, and easily connect users to all of the IT resources they need through JumpCloud.
Prerequisites:
- A Service Provider that supports an integration to a SCIM API. (They must have a SCIM client)
- A Service Provider account with the appropriate level of permissions to connect to an external SCIM API
- A JumpCloud organization
- A JumpCloud Admin account with Administrator role access and API access enabled.
- We strongly recommend creating a separate admin account just for this integration. This will allow you to easily identify the actions taken by the integration and avoid breaking the integration if a person leaves or changes roles.
- A JumpCloud API key that will be used in the custom x api key header. Learn how to generate your API key below.
Considerations:
- Your Service Provider is where identities are sourced and serves as the “source of truth” or “authority” for user attributes. Once that identity is in JumpCloud, admins can manage access, authentication, and extend that identity to all JumpCloud managed resources.
- When a user is created in the Service Provider, they will be added in JumpCloud as a user with a pending password status. This means a user will need to establish and maintain their password within JumpCloud. Imported users won’t automatically be sent an activation email upon creation.
- Currently, the API token doesn’t expire.
- The generic SCIM integration uses SCIM Version 2.0.
- The JumpCloud SCIM API is based on version 2.0 of the SCIM Standard.
- Real-time Group import isn’t currently supported.
Attribute Considerations:
- Any attributes that have been selected within your Service Provider for export to JumpCloud will overwrite values existing in JumpCloud with each update that is triggered in the Service Provider.
- We recommend Administrators Enable read-only on the user’s portal profile page for all users in the Organization Settings within the JumpCloud admin portal, to prevent users and other administrators from updating attributes in JumpCloud.
Generically Integrating with the JumpCloud SCIM Server
To integrate with the SCIM server:
- Log in to the JumpCloud Admin Portal.
- Click on your initials in the top right corner, then click API Settings to access your API Key.
- Copy this key to paste in the API Key/Secret Token field of your Service Provider later.
- Now, log into your Service Provider’s administrator account.
- Every Service Provider will have a different way of accessing application integrations.
- You should look for a gallery of available applications to install, find or search for JumpCloud and install the application.
JumpCloud isn’t listed in every Service Provider’s application gallery. If this is the case, you will need to create a custom application for JumpCloud.
- If you create a new application, we recommend using a name like; Real-time JumpCloud Import, or something similar.
- Now, open the application dashboard. Each Service Provider will have different questions regarding the application, for example; which attributes do you want to send to JumpCloud? Enable/Disable Single Sign On (SSO)? User Provisioning Settings etc… However, all of them will require a Tenant URL, and a JumpCloud API Key (also commonly known as a Secret Token).
- Tenant URL: For JumpCloud this is a SCIM based URL, https://api.jumpcloud.com/scim/v2
- API Key/Secret Token: A JumpCloud API key should be used to authorize this integration. The API key in JumpCloud is associated with an admin account. Use an admin account that has a role of Admin with Billing, Administrator, or Manager that will be a long lived admin account for your organization.
- From your Admin portal, click on your initials in the top right corner, then click API Settings to access your API Key.
- Copy/paste this key into the API Key/Secret Token field.
- You should receive a notification from your Service Provider that JumpCloud was saved/created successfully.
- To confirm this, go back to the Service Provider’s application gallery and confirm that your newly created application; JumpCloud/Real -time JumpCloud Import is there.
- Make sure that all the other settings you want integrated with JumpCloud are set, including attribute mappings, provisioning, email notifications, group sync, Single Sign On (SSO) etc…
- Note: Take a look at the Attribute Mappings table below to see which attributes JumpCloud sends to Service Providers, because not all attributes are supported.
- Your integration is now established. If you go back to your JumpCloud Administrator console, go to USER MANAGEMENT > Users and refresh the page, you will see newly added users in a password pending state.
Connector Attribute Mappings
The following table lists attributes that the JumpCloud SCIM client will accept from this integration. Learn about JumpCloud Properties and how they work with systemusers in our API.
JumpCloud Property | JumpCloud UI | SCIM v2 Mapping | JumpCloud Validation | Type |
---|---|---|---|---|
username | Username | userName | required, no special characters, (max length 1024). note: email may not be used as username. Some integrations leverage the email substring for the username | string |
firstname | First Name | name.givenName | max length 1024 | string |
lastname | Last Name | name.familyName | max length 1024 | |
Company Email | emails: value (primary) | email, required, max length 1024 | string | |
displayName | Display Name | displayName | - | string |
password | password | password | subject to org settings | string |
!suspended && !passwordExpired |
N/A | active | - | boolean |
N/A | N/A | meta.created | - | string |
N/A | N/A | meta.lastModified | - | string |
jobTitle | Job Title | title | - | string |
department | Department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:user:department |
- | string |
location | Location | locale | - | string |
costCenter | Cost Center | costCenter | - | string |
employeeType | Employee Type | userType | - | string |
company | Company | organization | - | string |
employeeIdentifier | Employee ID |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:user:employeeNumber |
- | string |