Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Automatically provision, update and deprovision users and groups in ADP from JumpCloud using the Identity Management (SCIM) integration. Leverage this integration to centralize user lifecycle, user identity, and group management in JumpCloud for ADP. Save time and avoid mistakes, as well as potential security risks, related to manually creating users.
Read this article to learn how to integrate with ADP.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO à la carte option
- An ADP user account with administrator permissions
- ADP SSO add-on is required to use SSO
- If configuring Identity Management
- The ADP API add-on is required to access ADP's API
- A Client ID and Secret from ADP (part of the API add on package)
- A private key and certificate to use mTLS
Important Considerations
- A custom API connector configuration to import users is also available for ADP - use the prebuilt if you would like to manage SSO and SCIM in one app
Attribute Considerations
- A default set of attributes are managed for users. See the Attribute Mappings section for more details
- It is highly recommended to map all of the listed optional JumpCloud attributes. The dropdown shows all the optional user attributes that can be mapped to create a complete user profile.
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.
- Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section
- Close to configure your new application at a later time
Configuring the SSO Integration
To configure JumpCloud 1
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- Copy and paste your ADP ACS_URL.
- Add or change any attributes.
- Click save.
Download the certificate
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click IDP Certificate Valid > Download certificate.
The certificate.pem will download to your local Downloads folder.
To configure ADP
- Contact your ADP representative to request that they complete the ADP side of the SAML configuration, providing them with the Issuer URL (JumpCloud IdP Entity ID) and X.509 certificate downloaded in the previous step.
- When your ADP representative has confirmed that they have completed the ADP SAML setup, request the ADP Relay State for your app.
To configure JumpCloud 2
- Open ADP from the Configured Applications list.
- Select the SSO tab.
- Paste the ADP Relay State received from your ADP representative in the Default Relay State field.
- Click Save.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the JumpCloud User Console
- Go to Applications and click an application tile to launch it
- JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
Configuring the Identity Management Integration
To configure ADP
- If you do not have your ADP Client ID and Secret, request it from ADP.
- A private key and matching Web Services (WS) Certificate is required to access ADP web services.
The WS Certificate provides client information to ADP and the matching private key confirms the authenticity of the client.
- If successful - you will receive a success message and the fields for attribute mapping will appear.
- unsuccessful - you will receive a failure notification that slides out from the right of the panel and the full error responses received from the service provider will be shown at the bottom of the Configuration Settings section.
- Create a CSR and upload it to ADP's cert request platform to generate a security certificate.
The certificate has a lifespan of two years.
- Download the cert - choose the Certificate only, PEM encoded download option
- Use the Certificate, Private Key (from the CSR), Client ID and Client Secret to submit a bearer token request - Postman was used in this instance.
- Use the bearer token to authenticate to the API.
The token has a lifespan of an hour.
To configure JumpCloud
- Create a new application or select it from the Configured Applications list.
- Select the Identity Management tab.
- Under Configuration settings > Service Provider Configuration > API Type, choose Custom API Import.
- Check Use mTLS authentication under Mutual TLS (mTLS). Add the following required files:
- Private Key - click Choose File and then browse to and select the private key file
- Certificate - click Choose File and then browse to and select the certificate file
- Click OAuth 2.0 and then select Client Credentials.
- Enter values in the following required fields:
- Client ID - copy and paste the Client ID
- Client Secret - copy and paste the Client Secret
- Access Token URL - enter https://accounts.adp.com/auth/oauth/v2/token
- Leave the Scopes field blank.
If multiple scopes need to be specified, separate each scope with a space.
- Under Endpoint Configuration in the Base URL field, enter https://api.adp.com/hr/v2
List Users
Location
- Resource Location - workers
- Method - This field is greyed out (not changeable) and is always set to GET.
- Endpoint Path - /workers?count=true
Total count
- Response Parameter Location - select Body
- Response Body JSON Path - meta.totalNumber
Pagination
- Limit Name - $top
- Offset Name - $skip
- Select Test Connection.
- If successful - you will receive a success message and the fields for attribute mapping will appear.
- If unsuccessful - you will receive a failure notification that slides out from the right of the panel and the full error responses received from the service provider will be shown at the bottom of the Configuration Settings section.
You can share the error message(s) with the service provider of the application to troubleshoot the issue.
User Schema Attribute Mappings
- Unique ID - associateOID
- User Status - workerStatus.statusCode.codeValue
- Inactive Status Values - Terminated,Retired,Deceased
Attribute Mappings
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations.
Learn about JumpCloud Properties and how they work with system users in our API.
- After completing the mappings using the below table, click Preview Mappings to verify the mappings.
- If the mappings are correct, click Activate.
ADP User Attribute Mapping
JumpCloud User Field in Admin Portal | Service Provider Attribute | Notes |
---|---|---|
Company Email | businessCommunication.emails[0].emailUri | Maps to the person's business email address |
Username | businessCommunication.emails[0].emailUri | Username portion of the person's business email address is extracted and stored that as the username in JumpCloud. |
First Name | {{ or .person.preferredName.givenName .person.legalName.givenName }} | Expression that will store the person's preferred given (first) name in JumpCloud if it is populated in ADP. Otherwise, it will store the person's legal first name. |
Last Name | {{ or .person.preferredName.familyName1 .person.legalName.familyName1 }} | Expression that will store the person's preferred family (last) name in JumpCloud if it is populated in ADP. Otherwise, it will store the person's legal first name. |
Alternate Email | person.communication.emails[0].emailUri | |
Job Title | workAssignments[0].jobTitle | Populates the person's current job title in JumpCloud |
Department | workAssignments[0].assignedOrganizationalUnits[0].nameCode.shortName | |
Location | person.legalAddress.countryCode | The country code from the person's home address |
Employee Type | workAssignments[0].workerTypeCode.shortName | |
Employee Identifier | workerID.idValue | |
DisplayName | {{{ or .person.preferredName.givenName .person.legalName.givenName }} {{ or .person.preferredName.familyName1 .person.legalName.familyName1 }}} | The concatenation of the person's preferred given (first) name or their legal name and their preferred family (last) name depending on what is populated in ADP. |
Work Country | workAssignments[0].assignedWorkLocations.address.countryCode | |
Work City | workAssignments[0].assignedWorkLocations.address.cityName | |
Work PO Box | ||
Work Postal Code | workAssignments[0].assignedWorkLocations.postalCode | |
Work State | workAssignments[0].homeWorkLocation.nameCode.shortName | |
Work Street Address | {{ .workAssignments[0].assignedWorkLocations.address.line1}} {{ .workAssignments[0].assignedWorkLocations.address.line2}} | Concatenation of all street address lines |
Importing New Users and Updates
- Select the ADP app from the Configured Applications list.
- Select the Identity Management tab.
- There are several settings available for importing users from your custom application to JumpCloud. Warning: Selected import options will apply to both manual and scheduled imports.
- Expand the Import Users section.
- Manual Import - clicking the Start Manual Import button kicks off the process flow for doing an immediate and one-time import of users from your custom application to JumpCloud.
- Scheduled Imports (hourly) - enabled by default for all new connectors. The first scheduled import will start within an hour after the new connector is saved. Scheduled imports will then run at the same time every hour as the initial scheduled import. Important: Any connectors created prior to the availability of scheduled imports will have this option disabled. To run scheduled imports, you must enable this option.
- Selecting the Receive summary email after each scheduled import results in user import complete emails being sent after each hourly import. Tip: It's recommended to enable this for the first few scheduled imports to ensure the imports are running correctly.
- In the Import Settings section, you can optionally choose:
- Allow reactivation of users on update. Checking the box for this setting will result in the user state changing from Suspended to Active in JumpCloud when a user’s status changes from either Leave or Inactive to Onboarding or Active in your custom application.
- Apply Advanced Filters on import (optional). See your custom application's API documentation for available filters.
- Expand the Import Users section.
To start a manual user import
- Expand the Import Users section and click Start Manual Import.
- Select one of the following options:
- Import new users and user updates
- Only import new users
- Only import user updates
- View and select specific new users to import (updates not supported)
If the option selected includes user updates, the following will occur:
- Any and all changes made to the mapped user attributes in the source application will be made in JumpCloud.
- Users whose statuses change to one of the defined inactive status will be automatically suspended in JumpCloud.
- If Allow reactivation of users on update is checked, suspended users in JumpCloud, whose status change from the defined inactive statuses to ones that are not defined as inactive, will have their user state changed back to Active in JumpCloud.
- Click Continue.
- If you selected the View and select specific new users to import (updates not supported).
- Select the users you want to import.
Free accounts can import unlimited users, but will be prompted to upgrade to a paid subscription after 30 days. Similarly, accounts managed by an MSP, that have a license limit, are only allowed to import users up to their license limit and will be prompted to contact their provider once that limit is reached.
- The count of users to be imported will show at the bottom left hand of the list. If this is correct, click Import.
- Review the information in the results modal.
- Click one of the tiles to navigate to the Users page, User Groups page, or Device Groups page or close the modal.
If you close this modal, you will return to the Identity Management configuration panel.
- You will receive a User Import Complete email with a summary of the import results and a link for downloading a copy of the import results.
- You can now connect users to all their JumpCloud resources. Learn more in the Authorize Users to an SSO App and Connect New Users to Resources articles.
Imported users must be members of a user group bound to an application for JumpCloud to manage their identity in and access to the application.
SCIM Directory Insights Events
The following Directory Insights (DI) events provide visibility into failures and detailed information about the user and group data being added or updated from HR or other external solutions to JumpCloud.
Customers with no package or the Device Management Package will need to add the Directory Insights à la carte option. Directory Insights is included in all other packages.
SCIM DI Integration Events
Event Name | Event Description |
---|---|
idm_integration_activate | Logged when an IT admin attempts to activated new SCIM Identity Management integration. |
idm_integration_update | Logged when an IT admin attempts to update a configured and activated SCIM Identity Management integration. |
idm_integration_reauth | Logged when an IT admin attempts to change the credentials for an activated SCIM Identity Management integration. |
idm_integration_delete | Logged when an IT admin attempts to deactivate an activated SCIM Identity Management integration. |
SCIM DI User Events
Event Name | Event Description |
---|---|
user_create_provision | Logged when JumpCloud tries to create a new user in service provider application. |
user_update_provision | Logged when JumpCloud tries to update an existing user in service provider application. |
user_deprovision | Logged when JumpCloud tries to change an existing user to inactive in the service provider application. |
user_delete_provision | Logged when JumpCloud tries to delete an existing user in service provider application. |
user_lookup_provision | Logged when JumpCloud encounters an issue when trying to lookup a user to determine if the user needs to be created or updated. |
Removing the Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration or Bookmark
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO or Bookmark tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO or Deactivate Bookmark.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.
Warning: Imported users must be members of a user group bound to an application for JumpCloud to manage their identity in, and access to, the application.