Integrate with SailPoint

This article discusses how to configure a custom identity management deployment between SailPoint and JumpCloud. To centralize governance and automate user lifecycles without a legacy directory dependency, configure an integration that establishes SailPoint as your primary Identity Provider (IdP). 

This architecture enables SailPoint to provision, update, and deprovision identities directly into JumpCloud using the SCIM protocol. Once JumpCloud receives these records, you can use User Groups to extend immediate access to systems, RADIUS networks, and Single Sign-On (SSO) web applications.

Prerequisites:

• A JumpCloud administrator account. 
• An active SailPoint administrative dashboard account.
• An active company domain matching your user email records.

Important Considerations:

• Enforcing Read-Only Profiles: To ensure SailPoint remains your primary identity directory, you can change your JumpCloud configuration settings to make user portal profiles read-only. This prevents users from making unapproved local profile changes.
• Managing the Password Pending State: When SailPoint provisions a new user account, JumpCloud automatically places the password into a temporary pending state for security. The account password updates automatically as soon as the user completes their initial login.
• Completing User Activation: To activate access to your managed resources, your users must log in to their JumpCloud User Portal for the first time. This action verifies their identity and immediately syncs their login credentials down to their local devices, RADIUS networks, and web applications.
• Monitoring Directory Syncs: You can track and audit directory sync events in real time by checking both the JumpCloud Directory Insights dashboard and your SailPoint provisioning logs.

Configuring the SCIM Integration

Create a dedicated API service account inside your directory to securely process identity workflows sent from SailPoint.

1. Log in to the JumpCloud Admin Portal.

2. Go to Identity Management > Users.
3. Click + Users and select Manual User Creation.
4. Enter the required profile information for the service account.
5. Click Save User.
6. In the left navigation menu, go to Settings.
7. Select the Administrators tab, click + Admin, and select From User.
8. Choose the service account user you just created, select your preferred role from the Role dropdown, and click Save.
9. Log out of your account and log in to the new service account.
10. Click your profile menu in the bottom-left corner to open your profile options.
11. Click My API Key to open your key settings.
12. Click Generate New API Key to copy your secure token key straight to your clipboard.

Configuring the SailPoint Integration

Map your generic platform provisioning properties within your SailPoint workspace to route lifecycle events to your target directory organization.

1. Log in to your SailPoint dashboard.
2. Go to Admin > Connections > Sources.
3. Click Create New.
4. Search for the connector profile, select the generic SCIM 2.0 SaaS item block, and click Configure.
5. In the Actions menu dropdown list, click Standard Setup.
6. Enter details within the data field array:
   • Under Source Name, type a descriptive system name (for example, JumpCloud SCIM Target).
   • Under Description, enter any relevant operational team labels.
   • Under Source Owner, enter the matching administrative profile target.
7. Click Continue.
8. Select Connection Settings on the configuration layout section menu.
9. Under Host URL (Base URL), paste your custom regional data center SCIM endpoint URL string, and append /Users to the end of the URL path.
10. Under Authentication Type, select API Token.
11. Paste the service account key string into the credential field area.
12. Click Save.

Testing the Integration

Test identity schema routing logic in a sandbox environment before processing active directory identities inside a production workspace.

Running a Connection Validation Check

1. Go to the Review and Test section window row within your SailPoint connection setup layout.
2. Review the data entries in each field array to identify technical typos.
3. Click Test Connection. A background verification notification status toast appears when data links are completely secure.

Testing Lifecycle Sync Stages

• Account Provisioning (Joiner): Stage a generic test user account inside your SailPoint source canvas. Run an onboarding sync flow and confirm that the tracking record immediately appears in the main user grid listing inside the JumpCloud console.
• Attribute Synchronizations (Mover): Edit a value like an active profile surname string or custom organization layout string inside your SailPoint console. Run an attribute sync and confirm that the destination field updates seamlessly inside your JumpCloud portal.
• De-provisioning Actions (Leaver): Revoke or disable the test profile inside your SailPoint instance layout. Verify that the active user property maps to false automatically inside JumpCloud to trigger immediate resource access termination.

Attribute Mappings

SailPoint User Attributes

The properties table lists the required and recommended structural data schema transformations handled automatically during communication loops between SailPoint and JumpCloud.

Removing the SCIM Integration

To deactivate the integration and terminate inbound user synchronization from SailPoint, remove the dedicated service account from your administrator directory.

1. Log in to the JumpCloud Admin Portal.
2. In the left navigation menu, go to Settings.
3. Select the Administrators tab.
4. Click on the required service account to open the Edit Administrator panel.
5. Click Actions.
6. Click Delete Account, and then Delete to confirm.