The Bob (HiBob) integration automates user creation, updates, and deprovisioning in JumpCloud based on events that occur in Bob. The automation creates efficiencies for IT and HR by reducing manual processes related to onboarding new hires, role changes, and offboarding. It also reduces security concerns related to manual data entry and access based on outdated user data.
Read this article to learn how to configure the Bob Integration.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO à la carte option
- A JumpCloud API key to connect Bob and JumpCloud
- A Bob administrator account
- If you will be configuring SSO, request your company ID from HiBob support
- Review the latest JumpCloud Integration article in the HiBob Help Center.
Important Considerations
- If an employee is not assigned to any SSO provider they will be able to log in to Bob using only their Bob username and password
- Each employee can be assigned to only one SSO provider
- If all employees are required to log in using SSO, you will not be able to set up any additional SSO integrations with Bob
- If you select people by condition and an employee who is currently assigned to another SSO is included in the conditions they will not be able to log in to Bob
- We recommend creating a separate JumpCloud administrator account to generate the JumpCloud API key for this integration
- To use the Staged user state in JumpCloud, contact the HiBob’s support team and ask them to change the default behavior. By default, the Bob integration will only create the user in an Active or Suspended (inactive) user state unless they change this default behavior
- We recommend setting your user state default to Staged to make it easier to identify users who have been imported and to complete the onboarding process without granting access. You can learn more about the Staged user state at Manage User States
- To automatically send the JumpCloud activation email when the integration changes the user state of a user from Staged to Active in JumpCloud, contact your Bob implementation manager to submit an engineering request or contact the HiBob Support Team to create support ticket to enable this functionality.
- We recommend that you do not set a default password in Bob. Setting a default password prevents you from being able to send an Activation email allowing the user to set their own password. You can set one later in JumpCloud if needed
- Bob users created before the JumpCloud integration was configured will be synchronized in JumpCloud once one of the mapped properties is updated for those users in Bob
- Bob users not in JumpCloud will be created
- Bob users who have already been created in JumpCloud will be updated
- You can request HiBob's support team to trigger an all employees' synchronization to JumpCloud
- The Bob integration is managed and supported by the HiBob team. Please contact the HiBob support team first if you encounter issues with the integration
Configuring the Identity Management Integration
To get your JumpCloud API Key
Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.
Once a new API key is generated, this revokes access to the current API key.
- Log in to the JumpCloud Admin Portal with the administrator account you want to use to generate the API key for this integration.
- Click your initials in the top right corner.
- Select My API Key.
- Click on Generate New API Key.
- Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.
This is the only time your API key will be visible to you. Store it somewhere safe, such as the JumpCloud Password Manager, so you can access it later.
To configure the JumpCloud default user state
Review Manage User States for more information.
- Log in to the JumpCloud Admin Portal.
- Navigate to Users > Settings.
- Set Manual / Single User API and CSV Import / Bulk User API Import values to the default user state you prefer for users created by the integration
- Click Save.
To configure the JumpCloud integration in Bob
The Identity Management Integration is solely configured in Bob. Review Bob's JumpCloud integration for more information.
- Login to Bob with an administrator account.
- From the left bottom menu, navigate to Settings > Integrations.
- Under Provisioning, select MANAGE in the JumpCloud tile.
- Click + Add connection.
You can add multiple connections.
- Enter a name for your connection and your JumpCloud API key.
- Click Connect.
- In the Provision settings section, click Edit (pencil).
- When to provision - select when you want users created in JumpCloud:
- On profile creation in Bob
- On start date
- Before start date (specify number of days)
- Who to provision - select the users to be synced to JumpCloud:
- All Employees
- Select by condition - users meeting a certain condition, or a chosen set of users
- Select by name - the list can be further filtered to users whose work email address matches a specified domain(s)
- Default user settings - select the value for What status do users in Jumpcloud start with? This controls in which user state a user is created. The choices are:
- Inactive until start date - creates users in the suspended user start and the automatically changes the user state to active them on their start date. Resources cannot be assigned to users when they are in a suspended user state in JumpCloud
- Active - creates users in the active user state. User have access to all assigned resource when they are in an active user state
- Inactive - creates users in the suspended user state
If you want user created in the Staged user state, which is recommended, you must contact Bob support and have that option enabled.
- Deactivation:
- Enabled - users are automatically suspended in JumpCloud when they are made inactive or deleted in Bob. (recommended)
- Disabled - the user state remains unchanged in JumpCloud when they are made inactive or deleted in Bob
- User credentials:
- Enabled - all users are created with the specified default password in JumpCloud
- Disabled - a user is created without a password in JumpCloud. (recommended)
- Scroll back to the top of the Provisioning settings and click Save.
- Data mapping - select your desired attributes to be sent from Bob into JumpCloud and click Save when finished. You can also create custom attributes to map to JumpCloud by clicking on the + Add field button at the bottom of the section.
Refer to Bob's Map data for integration provisioning article for more information.
Bob User Attributes
Bob Field Name | JumpCloud Attribute | JumpCloud UI Field Name | Notes |
---|---|---|---|
REQUIRED | |||
Display Name OR Define the mapping type as "Text and fields" and the Bob data as Basic Info - First Name.Basic Info - Last Name OR Define a username custom attribute on the user record | username | Username | Depending on your username naming convention, there are a few options you can set as the Bob Field Name. We suggested a few. If you select Display Name, the space between the first and last names will be removed, so the username will be firstlast. Regardless of the option you choose, confirm that the value adheres to the username requirements outlined in JumpCloud's naming conventions |
First name | firstname | First Name | |
Surname | lastname | Last Name | |
Middle name | middlename | Middle Name | |
Display name | displayname | Display Name | |
Work phone | phonenumbers[{type:work}] | Work Phone | |
Work mobile | phonenumbers[{type:cell}] | Work Cell | |
Title | jobTitle | Job Title | |
Department | department | Department | |
Employee ID | employeeIdentifier | Employee ID | |
Site | location | Location | |
Employment type | employeeType | Employee Type | |
Employee status | state | User state | The state value set for new users, staged or active, is determined by the integration settings in Bob. |
JumpCloud custom fields mapping
Up to 10 custom attributes can be used.
If you have created custom fields in JumpCloud they will not appear in the list of available fields to map to.
However, you can create a new custom field in JumpCloud directly from the Provisioning settings in Bob and map it to any Bob field.
- Click + Add field.
- In the Bob data column, select the Bob field.
- In the JumpCloud field column, select Custom field 1 (or 2-10).
When the data is synced, a new custom field will be created in JumpCloud with the same name as the Bob field.
Syncing Users
- Users are automatically created in JumpCloud when new hires are added to Bob
- Users are automatically updated when changes are made to employee profiles
- User are automatically deactivated in JumpCloud when employees leave the company if the Deactivation option is enabled
- A manual sync can be triggered at any time:
- Login to Bob with an administrator account
- From the left menu, select Settings > Integrations
- In the Provisioning category, click Manage the JumpCloud thumbnail
- Scroll down to the Manual syncs section
- Click Sync Now
- You can download the manual sync results
- You can see the status of each record in the Synced records section
User Sync Troubleshooting
You can see the status of each user record for which a sync was attempted in the Synced user section. If there was a failure, click on the stacked ellipses menu and choose details. A window will show detailed error message information.
Configuring the SSO Integration
To configure JumpCloud
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for and select Bob.
- Select the SSO tab.
- In the ACS URLs section:
- Replace YOUR_ID with your company ID provided by HiBob support (you can obtain this in the next section if you do not have it)
- Ensure that Declare Redirect Endpoint is checked
- Select save.
Download the JumpCloud metadata file
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click Export Metadata.
- The JumpCloud-<applicationname>-metadata.xml will be exported to your local Downloads folder.
Metadata can also be downloaded from the Configured Applications list. Search for and select the application in the list and then click Export Metadata in the top right corner of the window.
To configure Bob
- Login to Bob with an administrator account.
- From the left bottom menu, navigate to Settings > Integrations > SSO.
- Click Connect on the JumpCloud tile and then click Set up.
- Company ID - copy this value if you have not already obtained it from Bob support
- Metadata file from JumpCloud - click Upload to search for and select the JumpCloud metadata file generated in the previous section
- Who to include:
- All Employees
- Select by condition - users meeting a certain condition, or a chosen set of users
- Select by name - the list can be further filtered to users whose work email address matches a specified domain(s)
- Click Save.
In JumpCloud, if you have not configured the SSO ACS URL, replace YOUR_ID with your Bob Company ID.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the JumpCloud User Console
- Go to Applications and click an application tile to launch it
- JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
Removing the Identity Management Integration
- From the top left, click Bob products > System settings.
- From the left menu, select Integrations.
- From the dropdown in the upper right change All Apps to Connected Apps
- Click Manage on the JumpCloud tile
- Click the three-dot menu at the end of the row
- Select Remove
- Type REMOVE
- Click Remove