OIDC Attributes (Claims)

Creating or updating the OIDC App

  1. Log in to the JumpCloud Administrator Portal.
  2. Navigate to USER AUTHENTICATION > SSO.
  3. For a new application:
    1. Click + Add New Application.
    2. Click Custom OIDC App
    3. Enter a name in the Display Label field. Optionally you can add a Description and adjust the Display Option.
    4. Select the SSO tab.
    5. Under Attribute Mapping (optional), use Standard Scopes and configure user, constant, and group attributes. 
    6. Click activate
  4. For an existing application:
    1. Search for and select the desired application.
    2. Select the SSO tab.
    3. Under Attribute Mapping (optional), use Standard Scopes and configure user, constant, and group attributes.
    4. Click save

Attribute Mappings (optional)

Standard Scopes

Scopes are space-separated lists of identifiers used to specify what access privileges are being requested. JumpCloud supports two of OIDC's built in scope identifiers. Each scope includes different user attributes that are sometimes required by the Service Provider.

Note:

You can edit the Service Provider Attribute Name according to their specifications. The JumpCloud attribute cannot be edited.

Supported Scope Properties

OIDC Property Description Required JumpCloud Property
openid Identifies the request as an OpenID Connect request. Yes openid
profile Requests access to the end user's default profile claims. No profile
email Requests access to the email and email_verified claims. No email
offline_access Requests a refresh token used to obtain more access tokens without re-prompting the user for authentication. No offline_access

Scope Values

  • openid is required for any OpenID request connect flow. If the openid scope value isn’t present, the request may be a valid OAuth 2.0 request, but it’s not an OpenID Connect request.
  • profile requests access to these default profile claims: family_name, given_name.
  • offline_access can only be requested in combination with a response_type that contains code. If the response_type doesn’t contain code, offline_access is ignored.

A Standard Scope can be added to the connector by selecting one or both of the scopes.

Additional User Attributes

Additional attributes can be added to the OIDC connector with or without Standard Scopes. There are three types of attributes available.

User Attribute Mapping

  • User-specific attributes sent to the Service Provider. For example, the Service Provider requires the location and job title for each user. Mapping those two attributes to JumpCloud attributes will add those claims (attributes) to the ID token.

Constant Attributes

  • Constant-value attributes sent to the Service Provider. For example, a constant attribute for session duration limits session times for all users of the application, or service provider. 

Group Attributes

  • Groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the service provider’s name of the group attribute (e.g. memberOf). 
  • If the Group Attribute option is selected and the field is prepopulated with the group attribute name, that means we’ve validated that the group attribute is supported by the service provider. If the group attribute option isn’t selected and the Group Attribute Name field is empty, you need to find out if the service provider supports group attributes on your own. 

Note:

When you select the group attribute option for a connector, you must include a Groups Attribute Name. You'll receive an error when you attempt to activate the connector if you select this option and leave Groups Attribute Name blank.

  • Group attributes may be used in some service providers to map roles.
Back to Top

List IconIn this Article

Notebook IconLearn More

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case