Help Center Home > Apps and Integrations > Get Started: SCIM Identity Management

Get Started: SCIM Identity Management

Our Identity Management (IdM) Connectors manage application user accounts through the System for Cross-domain Identity Management (SCIM) protocol. These integrations allow you to automate, and centralize user and group management, depending on the application's group management support, through the full lifecycle from your JumpCloud Administrator Portal.

After you integrate an application with JumpCloud, depending on an application's IdM action support, you can provision, update, and deprovision users. 

Using SCIM IdM Connectors with JumpCloud

1 – Select an App

Select an application you want to connect with JumpCloud through SCIM. Ensure it has an Identity Management label in the Supported Functionality column - not all applications have both SSO/JIT and IdM functionality at this time. If you do not see your application listed, you may configure a custom SCIM integration or submit a request to have it added to the JumpCloud Integration Catalog.

Note:

In the Identity Management tab, you may see some application connectors with a Beta flag. We're evaluating these connectors in various real-world environments so we can gather feedback to ensure and enhance their performance. 

2 – Configure Your App

You will need to enable SCIM for your Service Provider, obtain the Base URL (if needed) and generate a Token Key. Groups may also be supported.

3 – Import Users

If users have been created in the SP, but not in JumpCloud, a manual import may be initiated after SCIM configuration.

IdM Actions

The following actions are supported with JumpCloud IdM Connectors:

Note:

Not all applications support all three IdM actions.

Provisioning

Important:

SCIM Provisioning differs in both its implementation and output from another type of web app provisioning, Just-in-Time.

Application support for provisioning means that JumpCloud can create user accounts in the connected application. This means that after you integrate an application with JumpCloud, and bind a new user to the application in JumpCloud, a new account is created for the user in the connected application with the following attributes:

SCIM Attribute Name JumpCloud Attribute Name Notes
ExternalID id -
Username Username If a user with the specified username and email are found in the service provider application, JumpCloud takes over the account. If no user is found in the service provider application with the specified username and email, a new user is provisioned in the application with these attributes.
Password Password Users are provisioned with a temporary password. When the user sets their password, it is pushed to the application. Subsequent password updates are also pushed to the application.
GivenName Firstname -
FamilyName Lastname -
MiddleName Middlename -
Displayname Displayname -
Emails Email - primary If a user with the specified username and email are found in the service provider application, JumpCloud takes over the account. If no user is found in the service provider application with the specified username and email, a new user is provisioned in the application with these attributes.
Active not Suspended and not PasswordExpired -

Addresses

  • Type
  • StreetAdress
  • Locality
  • Region
  • PostalCode
  • Country

Addresses

  • Type
  • StreetAdress
  • Locality
  • Region
  • PostalCode
  • Country
 -

Phones

  • Type
  • Value

Phones

  • Type
  • Number
 -
EmployeeNumber EmployeeIdentifier -
Department Department -
Organization Company -
Title JobTitle -

Updating

Application support for updating means that JumpCloud can update accounts on the connected application. This means that after you integrate an application with JumpCloud and bind a new user to the application in JumpCloud, anytime you update the user in JumpCloud, the user is updated in the application.

Deprovisioning

Application support for deprovisioning means that JumpCloud can remove user accounts from the connected application. This means that after you integrate an application with JumpCloud and unbind a user from the application in JumpCloud, the user is deactivated in the application; the account still exists in the application, but it is placed in an inactive state. 

For the most up-to-date list of supported IdM connectors, see JumpCloud's Integration Catalog.

Connecting IdM Applications to JumpCloud

Applications that you can integrate with JumpCloud through an IdM Connector can be found on the Configure New Applications panel with the Identity Management badge displayed. 

  1. Log in to the JumpCloud Admin Portal.
  2. Navigate to USER AUTHENTICATION > SSO.
  3. To connect a new application, click + Add New Application. If the application already has SSO configured, select it from the Configured Applications list.
  4. Select the Identity Management tab.
  5. Choose attributes and enter the Base URL and Token Key, click save.

Managing Employee Access to Applications

Users are implicitly denied access to all JumpCloud resources, including applications. JumpCloud admins must explicitly grant access to SSO applications through the use of user groups.

To grant access to a user group:

  1. Log in to the JumpCloud Admin Portal.
  2. If you haven’t already created a user group, create a new group. See Get Started: User Groups.
  3. If the group exists, in the Admin Portal, go to User Authentication > SSO.
  4. Select the SSO application.
  5. On the Application panel, click the User Groups tab.
  6. Select the user group, then click save
Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started: Applications (SAML SSO)

IdM using a Custom SCIM Integration

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case