Subscribe to Help Center RSS FeedUse JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Automatically provision, update and deprovision users and groups in 15Five from JumpCloud using the SCIM integration. Leverage this integration to centralize user lifecycle, user identity, and group management in JumpCloud for 15Five. Save time and avoid mistakes, as well as potential security risks, related to manually creating users.
Read this article to learn how to configure the 15Five integration.
Prerequisites
- A JumpCloud Administrator account
- JumpCloud SSO Package or higher or SSO à la carte option
- A 15Five Administrator account
- 15Five Plus Plan. If using SSO, an SSO add-on is required. Contact 15Five support
- Your 15Five subdomain name
Important Considerations
- SAML SSO is recommended, but not required:
- To enable SSO, but require users to log in through 15Five and not the JumpCloud User Portal, deselect Show in User Portal in the General Info tab of the application window
- 15Five supports password synchronization:
- If SSO is enabled, password changes don’t occur for the user in 15Five if the password is set from JumpCloud
- If SSO isn’t enabled in 15Five, then the user will receive an email with a link to reset their password in 15Five
- If you delete an integrated 15Five application from your Applications list, the application is removed from JumpCloud, but any previously bound users remain active in 15Five. These users can log in to 15Five with the password they used before you enabled SSO with 15Five in JumpCloud
- If you deactivate SCIM on your 15Five application and SSO is activated, previously bound users remain active in 15Five and can authenticate using SSO. No further updates are made to user accounts via the SCIM integration:
- Users created via SCIM integration should also be deleted via SCIM integration. Otherwise, you need to disable the user before you can delete them
- Users deactivated via the SCIM integration can only be deleted via the SCIM integration after you reactivate them and then delete them
- Account takeovers are supported
- New users provisioned from JumpCloud receive an email invitation from 15Five
- Users are moved to the inactive state when they’re deprovisioned
- If a user’s password expires in JumpCloud, their account becomes suspended and they are deactivated in all applications that have SCIM configured and, are associated to them. Once the user’s password is updated, the account and previously associated applications are reactivated
- Groups are supported
Attribute Considerations
- A default set of attributes are managed for users. See the Attribute Mappings section for more details
- The username and email should match
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Access > SSO Applications.
- Click + Add New Application.
- You can also enter the name of the application in the Search field and select it.
- You can either select an application from the available list or select Custom Application, and click Next.
- Select the required options from the Select Options page and click Next. The Enter General Info page is displayed.
- On the Enter General Info page, you can customize the display label, description and how the application displays:
- Description - add a description that users will see in their user portal
- User Portal Image - choose Logo or Color Indicator
- Show in User Portal - select to ensure the app is visible in the user portal
- Optionally, expand the Advanced Settings section and customize the IdP URL:
- Enter a custom value to replace the default application name in the SSO IdP URL endpoint ( https://sso.jumpcloud.com/saml2/{custom_value})
The SSO IdP URL is not editable after the application is created. If you need to change this URL later, you must delete and recreate the connector.
- Click Save Application.
- Next, click:
- Configure Application and go to the next section
- Close to configure your new application at a later time
Users are implicitly denied access to applications. See Authorize Users to an SSO Application.
Configuring the SSO Integration
To navigate to your JumpCloud SSO connector
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Access > SSO Applications.
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
To configure JumpCloud
- In the IdP Entity ID and ACS URL fields, replace YOURDOMAIN with your 15Five subdomain name.
- Optionally, configure:
The Authentication Methods References (AMR) is automatically included in the SAML assertion by default. No additional configuration is required to enable this.
Complete the MFA Claim Configuration to define how the authentication context is sent in the SAML assertion.
- Under Auth Context, choose one of the following options based on your SP's requirements:
- Send a single value for all successful MFA factors - select if the Service Provider accepts a generic confirmation for any MFA login. Enter the single URL or URN they accept
- Send specific factors - select this option to map individual JumpCloud MFA methods to distinct values. In the Factor Mapping table, add each MFA factor enabled in your organization and enter the corresponding value required by the Service Provider
- Send single value and specific factors - select to send both a generic identifier and specific factor details in the assertion
Refer to your Service Provider's documentation to determine the specific URN or URL values required (e.g., Salesforce Session Security Levels). The values entered in this configuration must exactly match what the Service Provider expects.
| MFA Factor | Service Provider | Notes |
|---|---|---|
| Password | Reference your Service Providers's documentation for the values they expect for each factor | |
| TOTP | ||
| WebAuthN | ||
| Push Notification | JumpCloud Protect or other authenticator application | |
| Duo Security | ||
| Device Trust | ||
| Device Trust + User Verification | JumpCloud Go | |
| API Key | ||
| External Identity Provider |
Learn more about MFA Claims.
Configure User Attributes to be sent to the SP in assertions. User attributes are unique to each user. You can include attributes for standard user detail attributes or for custom attributes. For example, you can include standard attributes for users’ employee ID and department, or you can include a custom attribute for users’ application ID. Standard attributes are configured in the User Panel Details tab's User Information and Employee Information sections.
Unlike user attributes, a Constant Attribute can be sent for every user in a specific group or application profile.
If required attributes are present, they are not editable.
- Under User Attributes, click add attribute:
- Service Provider Attribute Name - enter the service provider’s name for the attribute
- JumpCloud Attribute Name - select the corresponding attribute from the drop down list
- Repeat these steps for any desired user or custom attributes.
- Under Constant Attributes, click add attribute:
- Service Provider Attribute Name - enter the service provider’s name for the attribute
- Value - enter the corresponding attribute in JumpCloud
- Optionally, if groups are supported, select Include Group Attribute.
- Click Save.
Copy the metadata URL
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click Copy Metadata URL.
- The URL will be copied to your clipboard.
To configure 15Five
- Navigate to the ’SAML Single Sign-On’ page in 15Five. If you don’t have access to that page, contact 15Five Support and they will add it for you.
- Set your company's subdomain—typically this will be your company name or some form of it. You can choose anything they want as long as it does not contain characters, capital letters, or spaces. The subdomain name needs to also be a unique name—no other company can be using the same domain.
- Click Save.
- You will be taken to the next page to enter the Metadata from your IdP and set your SSO contact.
- The Contact email should be the email of the IT point of contact that 15Five Support or others in your company should reach out to about SSO-related questions or issues.
- Check the box labeled Automatically update metadata if you’d like to include the link to where 15Five can check your metadata. Doing so will allow 15Five to automatically update your metadata if changes are made, rather than updating the metadata manually.
- Click Save.
- Next, you will set your SAML attributes and settings.
- SAML Single Sign-On Enabled: Should be checked to enable SSO.
- Allow Password Sign In: Can be checked if you want their users to have the ability to log in using their email and password, rather than just through SSO. This can be turned on during testing and turned off after if preferred.
- Allow Identity Provider Initiated Login: A setting that allows employees to log in directly from the app dashboard when they log in via your company’s IdP.
- Allow Auto Login: Indicates that the employee will be auto-logged in using their IdP, instead of having to re-authenticate before logging in. This option only works if the ’Allow Password Sign-In’ option is disabled.
- Allow Creation of New Users (JIT Provisioning): Automatically creates a new, paid account in 15Five if an employee who has access to 15Five in your IdP attempts to log into 15Five.
This option is not recommended when Name ID is set to ‘Email’ or if you are using another integration like SCIM or an HRIS. Using this with either option can cause duplicate accounts and issues with one integration overriding the other.
-
- Require Reviewer Selection: Requires an employee to choose their reviewer upon signing in for the first time. Such a choice will only be presented if reviewer information has not been passed in the SAML response. Most customers will want this off.
- Ensure assertions are signed and Ensure messages are signed: Tell 15Five what to expect from your IdP. You must have at least one of the two checked in order to proceed, but you are able to turn one setting off depending on your setup.
- The next four lines show the Service Provider User Sign In URL, IdP Entity ID, etc. These fields are auto-populated by pulling from the XML metadata you entered on the previous screen.
- The bottom half of the page is where you set your attributes. The best way to know what should go in here is to check your IdP’s attribute mappings. If you need some guidance, the blue link labeled Attributes Help may be helpful. The Name ID Contents and Email attribute name are the ones that are necessary to set up SSO, but there are a few others that you may want to sync.
If ‘Name ID Contents“ is set to ’Not Used’, then the ‘Employee ID attribute name' must be filled out. Otherwise, there will be issues with employees logging in.
If you would like the employee’s reviewer to sync to 15Five, and you do not use another integration with 15Five like SCIM or another HRIS, then you would put the reviewer information under the ‘Reviewer Attributes’ section. Make sure to click Save!
Authorizing SSO Application Access
Users are implicitly denied access to SSO Applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Applications, Users List or User Groups page.
To authorize user access from the SSO Application’s page
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Access > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the desired group of users to which you want to give access.
- Click Save.
To learn how to authorize user access from the Users or User Groups pages, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
Check your SP's documentation to ensure that both workflows are supported.
IdP-initiated user workflow
- Access the JumpCloud User Console
- Go to Applications and click an application tile to launch it
- JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
See Additional User Experience Considerations when setting up JumpCloud SSO.
Configuring the SCIM Integration
To configure 15Five
- Log in to 15Five with your administrator account.
- In the left menu, click Settings > Features.
- Click Integrations > Manage, and enable the SCIM 2.0 option, then click Save.
- If you don’t see the SCIM 2.0 integration, contact 15Five’s support team and request they activate it
- Generate your access token.
To navigate to your JumpCloud SCIM connector
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Access > SSO Applications.
- Create a new application or select it from the Configured Applications list.
- Select the Provisioning tab.
To configure JumpCloud
- Click Configure in the Configuration Settings section.
- You're presented with two fields:
- Base URL: Paste in the SCIM 2.0 base URL you copied when you enabled SCIM 2.0 with JumpCloud in 15Five, e.g., https://my.15five.com/scim/v2
- Token Key: Paste the access token generated in the previous section
- Review and edit any user attribute mappings.
- Click Activate.
Attribute Mappings
The Export Attributes Mapping table lists the Required and Optional Mappings that JumpCloud sends to the Service Provider. See Attribute Considerations for more information regarding attribute mapping considerations.
Learn about JumpCloud Properties and how they work with system users in our API.
Modifying User Attributes
To add user attributes
- From your connector’s configuration page, select the Identity Management tab.
- Expand the Export Attribute Mapping section and click Edit. The Optional Mappings table will open.
- Scroll to the bottom of the table and click +Add Attribute.
- Select one of the mapping types:
- Direct Mapping (JSON Path) - send the value from a user attribute in JumpCloud directly to an attribute in the service provider
- From the JumpCloud Attribute dropdown, select the desired attribute
- If you choose “Custom User Attribute” you must type the name of the attribute exactly as it on the user details page. To see the dropdown again, you must delete the attribute and add a new attribute
- From the SCIM Attribute dropdown, select the corresponding (destination) attribute
- From the JumpCloud Attribute dropdown, select the desired attribute
- Expression - transform or combine multiple user attributes into a single, custom value before sending it to the service provider
- Enter the expression in the JumpCloud Attribute field
- From the SCIM Attribute dropdown, select the corresponding (destination) attribute
- Constant - send a fixed, predefined value—like a specific company name —for every user to the service provider
- This is a free text field with no validation, e.g., the attribute must match exactly, including case, to the corresponding attribute in the user record. Once the custom attribute is added, you must delete it and readd a new custom attribute to see the dropdown again.
- Direct Mapping (JSON Path) - send the value from a user attribute in JumpCloud directly to an attribute in the service provider
- Repeat these steps for additional attributes.
- Click Preview Mappings to review the User Schema.
- If you do not select a specific user from the Preview Filter dropdown, the schema will default to the first user.
- Click Update.
Updates to the user schema will not dynamically sync. To force a sync, you must modify the user group’s record in some way, like adding a space to the Description field.
To modify existing user attributes
This enhancement gives you complete control over the user attributes sent from JumpCloud to this application. You can now:
- Fully control mappings - define which JumpCloud attribute or source data corresponds to an attribute in the SP's SCIM schema
- Use a variety of source values - map data from the user's standard attributes, Manager field, custom attributes, or other data sources
- Manipulate data with expressions - transform data, such as preferred first names and date format, using expressions before transmission to the SP. Learn more
- Preview changes - review your new mappings to ensure accuracy before you save
- From your connector’s configuration page, select the Identity Management tab.
- Expand the Export Attribute Mapping section and click Edit.
- For the type of attribute you would like to modify:
- Direct - select the new attribute from the dropdown(s)
- Expression - click in the Expression field and make the desired edits. If necessary, select the new attribute from the SCIM Attribute dropdown
- Custom - delete the existing values in either or both of the attribute fields and enter the new values
- Click Preview Mappings to review the updated User Schema.
- Click Update.
Updates to the user schema will not dynamically sync. To force a sync, you must modify the user group’s record in some way, like adding a space to the Description field.
Deleting user attributes
It's highly recommended you use all optional mappings. This creates a more complete user profile, enabling better automation and more accurate access management within the application.
- From your connector’s configuration page, select the Identity Management tab.
- In the Export Attribute Mapping section, click Edit. The Optional Mappings table will open.
- Click Delete (
) to remove any optional attributes.
) to remove any optional attributes.- When finished, click Update.
Attributes that were initially included and populated in the user record and then deleted at a later time will not be modified or removed from the user record.
Restoring default user attributes
- From your connector’s configuration page, select the Identity Management tab.
- In the Export Attribute Mapping section, click Edit. The Optional Mappings table will open.
- Scroll to the bottom of the table and select Restore Defaults.
- Click Update and then click Save.
15Five User Attributes
| JumpCloud Attribute | SCIM Attribute | Applied |
| Required | ||
| userName | create and update | |
| Optional | ||
| company | $enterpriseUser.organization | create and update |
| costCenter | $enterpriseUser.costCenter | create and update |
| department | $enterpriseUser.department | create and update |
| employeeIdentifier | $enterpriseUser.employeeNumber | create and update |
| employeeType | userType | create and update |
| firstname | name.givenName | create and update |
| jobtitle | title | create and update |
| lastname | name.familyName | create and update |
| notNullOrEmpty(jcUser.displayname) ? jcUser.displayname : (notNullOrEmpty(jcUser.lastname) ? jcUser.firstname + ' ' + jcUser.lastname : jcUser.firstname) | displayName | create and update |
| notNullOrEmpty(providerUser.externalId) ? providerUser.externalId : jcUser.id | externalId | create and update |
| notNullOrEmpty(providerUser.locale) ? providerUser.locale : 'en-US' | locale | create and update |
| notNullOrEmpty(providerUser.preferredLanguage) ? providerUser.preferredLanguage : 'en-US' | preferredLanguage | create and update |
| toScimAddresses(find(jcUser.addresses, .type == 'work') ?? first(jcUser.addresses)) | addresses | create and update |
| toScimEmails(jcUser.email) | emails | create and update |
| toScimPhoneNumbers(find(jcUser.phoneNumbers, .type == 'work') ?? first(jcUser.phoneNumbers)) | phoneNumbers | create and update |
Group Attributes
| JumpCloud Property | JumpCloud UI Field Name | SCIM v2 Mapping | Application Value |
|---|---|---|---|
| name | Name | displayName | Name |
Enabling Group Management
You must select the Enable management of User Groups and Group Membership in this application option to manage groups and group membership in the application from JumpCloud.
Group Provisioning and Syncing
- Empty groups are not created
- JumpCloud takes over management of existing groups in the application when the user group name in JumpCloud matches the name of the group in the application
- All user groups associated with the application in JumpCloud are synced. Syncing occurs whenever there is a membership or group change event
- Group renaming is supported
- If a user group is disassociated from the application in JumpCloud, syncing immediately stops and the group is left as-is in the application. All members of that user group are deactivated in the application unless they are associated with another active application group that is managed from JumpCloud
Group Deletion
- Managed groups deleted in JumpCloud are deleted in the application
- All members of the deleted group are deactivated in the application, unless they are associated with another active application group that is managed from JumpCloud
Disabling Group Management
- You can disable group and group membership management by unchecking the Enable management of User Groups and Group Membership in this application option
- The managed groups and group membership are left as-is in the application
- JumpCloud stops sending group membership information for the user, but the user’s identity will continue to be managed from JumpCloud
SCIM Directory Insights Events
The following Directory Insights (DI) events provide visibility into failures and detailed information about the user and group data being added or updated from HR or other external solutions to JumpCloud.
Customers with no package or the Device Management Package will need to add the Directory Insights à la carte option. Directory Insights is included in all other packages.
SCIM DI Integration Events
| Event Name | Event Description |
|---|---|
| idm_integration_activate | Logged when an IT admin attempts to activated new SCIM integration. |
| idm_integration_update | Logged when an IT admin attempts to update a configured and activated SCIM integration. |
| idm_integration_reauth | Logged when an IT admin attempts to change the credentials for an activated SCIM integration. |
| idm_integration_delete | Logged when an IT admin attempts to deactivate an activated SCIM integration. |
SCIM DI User Events
| Event Name | Event Description |
|---|---|
| user_create_provision | Logged when JumpCloud tries to create a new user in service provider application. |
| user_update_provision | Logged when JumpCloud tries to update an existing user in service provider application. |
| user_deprovision | Logged when JumpCloud tries to change an existing user to inactive in the service provider application. |
| user_delete_provision | Logged when JumpCloud tries to delete an existing user in service provider application. |
| user_lookup_provision | Logged when JumpCloud encounters an issue when trying to lookup a user to determine if the user needs to be created or updated. |
SCIM DI Group Events
These DI events will only be present if SCIM Groups are supported.
| Event Name | Event Description |
|---|---|
| group_create_provision | Logged when JumpCloud tries to create a new group in service provider application. |
| group_update_provision | Logged when JumpCloud tries to update an existing group in service provider application. |
| group_delete_provision | Logged when JumpCloud tries to delete an existing group in service provider application. |
Removing the Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed (like disabling "mandatory SSO login" settings) to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users, including admins, losing access to the application.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
To deactivate the SCIM Integration
- Log in to the JumpCloud Admin Portal.
- Go to Access > SSO Applications.
- Search for the application that you’d like to deactivate and click to open the configuration window.
- Click Actions > Deactivate IdM and then click confirm.
To deactivate the SSO Integration
- Log in to the JumpCloud Admin Portal.
- Go to Access > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO.
- Click Save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to Access > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.
In this Article