Integrate with BambooHR

Integrate BambooHR with your JumpCloud account to seamlessly manage and onboard new employees by automatically importing and updating users and their attributes to JumpCloud. This helps limit manual overhead for HR and IT organizations, reduces input error and in combination with the Single Sign On (SSO) with BambooHR SAML connector, JumpCloud provides access to all employee resources through a single set of credentials. 

Prerequisites

  • A JumpCloud Administrator account. 
  • JumpCloud SSO Package or higher or SSO add-on feature.
  • A Full Admin account and BambooHR “advantage” package at minimum.
  • Your BambooHR tenant.
  • Review Bamboo HR’s JumpCloud Integration article.

Important Considerations

  • Email BambooHR Support to enable the JumpCloud integration on your account.
  • Configuring JumpCloud SSO for BambooHR is recommended, but not required.
    • JumpCloud won’t manage or consume the BambooHR password. Setting up SSO with the BambooHR User Portal will let your Users access the Bamboo portal using their JumpCloud credentials.
    • JumpCloud managed users must have an email address that corresponds to an email address associated with a BambooHR account.
  • BambooHR will be the identity source once the SCIM integration is configured and serves as the “master” for user attributes. Once that identity is in JumpCloud, admins can manage access, authentication, and extend that identity to all JumpCloud managed resources. 
  • The SCIM integration is managed by BambooHR. Please contact BambooHR Support for support.
  • The SCIM integration only sends employee records. User records not sent.
  • The SCIM integration is one-way. The employee identities are sent from BambooHR to JumpCloud.
  • Bamboo sends both active and inactive employee records. You will need to monitor the users that are created to ensure any inactive employees that should not be in JumpCloud are deleted.
    • You will need to contact your Account Manager or Account Services to let them know when this situation occurs, so billing can be managed appropriately.
    • If you do not want inactive users to be created, you can remove the work email for the employees who are inactive and store it in the “notes” tab for future reference.. Removing the work email value will prevent the records from syncing to Jumpcloud.
  • We strongly recommend setting Staged as the user default for Manual / Single User API in Settings > User Management > Default User State for User Creation in JumpCloud. Read Manage User States to learn more.
    • You can easily identify new users created by the integration
    • You can assign resources without granting access before the user’s start date
    • You can control whether or not an email is sent to the user when they are activated
    • You can activate the user by changing their user state.
  • When a user is created in BambooHR as an employee, they will automatically be created in JumpCloud on the next scheduled sync based on the settings for the JumpCloud app in BambooHR.
  • If a specific minute is selected from the minute dropdown, that will result in data being sent at that minute past the hour every hour. It does not result in a sync occurring in that minute time interval.  For example, selecting 5 for the minute will result in the data being sent to JumpCloud at 5 minutes past the hour every hour.
    • If you want to sync data more frequently than hourly, select the Every Day, Every Month, Every Hour, Every Minute options. 
  • A user created by this integration will:
    • Be created in the user state specified for Default User State for User Creation for Manual / Single User API.
    • Have a pending password status.
    • Need to establish and maintain their password within JumpCloud.
  • Users created in the Active user state won’t automatically be sent an activation email upon creation. 
  • Updates to the user attributes specified in the settings for the JumpCloud app BambooHR will be synced to JumpCloud as long as the integration is active.
  • Group import isn’t supported. 
  • An employee record in BambooHR must have a company email address for the information to be sent to JumpCloud. 

Important:
  • When you delete a BambooHR managed user in JumpCloud, that user still exists and has a work email address in BambooHR, the user will be recreated in JumpCloud. 
  • When you suspend a user in JumpCloud and the user is still active in BambooHR, the user state for that user will updated and set back to Active in JumpCloud.
  • When you add a user in JumpCloud, the user won’t be created in BambooHR.
  • When you do a manual sync from BambooHR to JumpCloud, a full sync is done, meaning all employee records, both active and inactive users are sent.
  • When you make any changes to the settings for the JumpCloud application in BambooHR, a full sync is done, meaning all employee records, both active and inactive users are sent.
  • There are other triggers that result in a full sync. Please contact BambooHR Support for more information.

Attribute Considerations

  • Any attributes that have been selected within BambooHR for export to JumpCloud will overwrite values existing in JumpCloud with each update that is triggered in BambooHR.
    • It’s recommended to Enable read-only on the user’s portal profile page for all users in the Organization Settings to prevent users and administrators from updating attributes in JumpCloud.

Creating a new JumpCloud Application Integration

  1. Log in to the JumpCloud Admin Portal.
  2. Navigate to USER AUTHENTICATION SSO Applications.
  3. Click + Add New Application.
  4. Type the name of the application in the Search field and select it.
  5. Click Next.
  6. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

Note:

If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.

  1. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.

Warning:

The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.

  1. Click Save Application.
  2. If successful, click:
    • Configure Application and go to the next section.
    • Close to configure your new application at a later time.

Configuring the SSO Integration

Note: SSO is either on or off. There is not an option to allow users to either login with SSO or login with their BambooHR credentials.

To configure JumpCloud

  1. Create a new application or select it from the Configured Applications list.
  2. Select the SSO tab.
  3. In the ACS URL field, replace <YOURDOMAIN> with your account’s registered BambooHR domain name.
  4. Add or change any additional attributes.
  5. Select save.

Download the certificate

  1. Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
  2. Select the SSO tab and click IDP Certificate Valid > Download certificate.

Tip:

The certificate.pem will download to your local Downloads folder.

To configure BambooHR

  1. Log in to BambooHR as an administrator (This user’s email should also be managed by JumpCloud).
  2. Select the Apps icon in the upper right.
  3. Scroll down to the Single Sign-On section, and select the SAML 2.0 icon.
  4. Select the Install button next to the SAML 2.0 icon.
  5. Enter the following information:
    • SSO Login URL – enter the JumpCloud IDP URL.
    • x.509 Certificate – copy and paste the contents of the certificate downloaded in the previous section.
  6. Optionally, select Allow optional email & password login.

Important:

The "allow optional email & password login" enables employees to log in through [OneLogin/Microsoft/SAML/etc] or type in their email and password. Please note that while this is an option, it's recommend to leave this unchecked as installing a single sign-on option will disable the 2-Step Login in BambooHR.

  1. Select Install.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the group of users you want to give access.
  5. Click save

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO authentication workflow(s)

IdP Initiated

  • Access the JumpCloud User Console.
  • Select the application’s tile.
  • The application will launch and login the user.

SP Initiated

  • Navigate to your Service Provider application URL.
  • You will be redirected to log in to the JumpCloud User Portal.
  • The browser will be redirected back to the application and be automatically logged in.

Configuring the Identity Management Integration

To configure BambooHR 1

  1. Log in to your Bamboo administrator account.
  2. From the Home page, select the gear icon in the top right hand corner. This brings up your Settings page. 
  3. Under your Account information, select Apps.
  4. On the next page, under Not Installed, scroll down to find JumpCloud, click Install
  5. A JumpCloud Settings modal pops up, for the question: When would you like your data to be sent?* 
    • The integration is set to send changes every minute by default. We recommend these settings for the most immediate sync. If you want a different schedule, you can customize the cadence that updates sync.
  6. For the next question: Which fields do you want to send to JumpCloud?* Determine which attributes you’d like to manage consistently in BambooHR and sync to JumpCloud.
  7. Keep this page open.

Note: BambooHR will effectively master selected attributes in JumpCloud.

To get your JumpCloud API Key

Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.

Warning:

Once a new API key is generated, this revokes access to the current API key. 

  1. Log in to the JumpCloud Admin Portal with the administrator account you want to use to generate the API key for this integration.
  2. Click your initials in the top right corner.
  3. Select My API Key.
  4. Click on Generate New API Key.
  5. Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.

Important:

This is the only time your API key will be visible to you. Store it somewhere safe, such as the JumpCloud Password Manager, so you can access it later.

To configure BambooHR 2

  1. Back on your BambooHR page, in the JumpCloud Settings modal, paste the JumpCloud API Key under Add JumpCloud provided API Key* 
  2. Click Install. You will receive a notification that JumpCloud was successfully installed.
  3. Your integration is now established. If you go back to your JumpCloud Administrator console, go to USER MANAGEMENT > Users and refresh the page, you will see newly added users.
    • If you set Staged as the default state, you can see a filtered view of just those users by clicking Staged option above the users list.
    • If you set Active as the default state, you can filter the All or Active view to just users with a password pending password status.

Attribute Mappings

The following table lists attributes that BambooHR sends to JumpCloud. Any updates to the fields selected in the settings for the JumpCloud app will trigger an update to those values in JumpCloud with the exception of work extension.

BambooHR Field Direction JumpCloud UI Field Name Field Type Notes
Work Email To Company Email Standard Employee records will NOT sync to JumpCloud until a Work Email exists in BambooHR. This is a required field in JumpCloud. This field is used as the unique identifier for matching users in JumpCloud with employees in BambooHR.
Work Email To Username Standard Defaults to first part of email address (everything before the @ symbol). This is a required field in JumpCloud. If a user already exists in JumpCloud with a matching email, the Username for that user will not be overwritten by BambooHR.
Status To User State Standard An Inactive status in BambooHR will suspend access for that user in JumpCloud.
First Name To First Name Standard  
Last Name To Last Name Standard  
Preferred Name OR First Name + Last Name To Display Name Standard Populated by Preferred Name and Last Name fields in BambooHR. If no Preferred Name value exists then First Name will be used.
Middle Name To Middle Name Optional  
Employee Number To Employee ID Optional  
Job Title To Job Title Optional  
Division To Company Optional  
Department To Department Optional  
Location To Location Optional  
Location Country To Work Country Optional Location field must be selected in BambooHR App Settings in order to sync.
Location Address Street 1 & Location Address Street 2 To Work Street Address Optional Location field must be selected in BambooHR App Settings in order to sync.
Location City To Work City Optional Location field must be selected in BambooHR App Settings in order to sync.
Location State To Work State Optional Location field must be selected in BambooHR App Settings in order to sync.
Location ZIP/Postal Code To Work Postal Code Optional Location field must be selected in BambooHR App Settings in order to sync.
Work Phone + Ext To Work Phone Optional  
Home Phone To Home Phone Optional  
Mobile Phone To Personal Cell Option  
Address Street 1 & Location Address Street 2 To Home Street Address Optional  
Address City To Home City Optional  
Address State/Province To Home State Optional  
Address ZIP/Postal Code To Home Postal Code Optional  
Address Country To Home Country Optional  

Importing Users

This functionality is helpful if users have already been created in the application but have not been created in JumpCloud.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application and click to open its configuration panel. 
  4. Select the Identity Management tab.
  5. Click manual import.
  6. Select the users you want to create in JumpCloud from the application from the list of users that appear. Users in the list have two import statuses:
    • New – user has not been imported.
    • Imported – user has been imported and has an account in JumpCloud.

Tip: Try using the New Users-only filter when selecting users to import. This will move all of your new users to the top of the list, making them easier to identify and select.

  1. Click import.
    • If you are importing less than 100 users, your import results will display in real time and you can continue onboarding your users. 
    • If you have more than 100 users being imported, JumpCloud will send you an email when your import is complete.
  1. You can now connect and grant users access to all their JumpCloud resources. Learn more in the Authorize Users to an Application and Connecting Users to Resources articles.

Warning: Imported users must be members of a user group bound to an application for JumpCloud to manage their identity in, and access to, the application.

SCIM Directory Insights Events

The following Directory Insights (DI) events provide visibility into failures and detailed information about the user and group data being added or updated from HR or other external solutions to JumpCloud.

Note:

Customers with no package or the Device Management Package will need to add the Directory Insights à la carte option. Directory Insights is included in all other packages.

SCIM DI Integration Events

Event Name Event Description
idm_integration_activate Logged when an IT admin attempts to activated new SCIM Identity Management integration.
idm_integration_update Logged when an IT admin attempts to update a configured and activated SCIM Identity Management integration.
idm_integration_reauth Logged when an IT admin attempts to change the credentials for an activated SCIM Identity Management integration.
idm_integration_delete Logged when an IT admin attempts to deactivate an activated SCIM Identity Management integration.

SCIM DI User Events

Event Name Event Description
user_create_provision Logged when JumpCloud tries to create a new user in service provider application.
user_update_provision Logged when JumpCloud tries to update an existing user in service provider application.
user_deprovision Logged when JumpCloud tries to change an existing user to inactive in the service provider application.
user_delete_provision Logged when JumpCloud tries to delete an existing user in service provider application.
user_lookup_provision Logged when JumpCloud encounters an issue when trying to lookup a user to determine if the user needs to be created or updated.

If SCIM Groups are supported:

SCIM DI Group Events

Event Name Event Description
group_create_provision Logged when JumpCloud tries to create a new group in service provider application.
group_update_provision Logged when JumpCloud tries to update an existing group in service provider application.
group_delete_provision Logged when JumpCloud tries to delete an existing group in service provider application.

Removing the Integration

Important:

These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.

To deactivate the IdM Integration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
  5. Click confirm
  6. If successful, you will receive a confirmation message.

To deactivate the SSO Integration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to deactivate and click to open its details panel. 
  4. Select the SSO tab.
  5. Scroll to the bottom of the configuration.
  6. Click Deactivate SSO or Deactivate Bookmark
  7. Click save
  8. If successful, you will receive a confirmation message.

To delete the application

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case