Subscribe to Help Center RSS FeedThe Bob (HiBob) integration automates user creation, updates, and deprovisioning in JumpCloud based on events that occur in Bob. The automation creates efficiencies for IT and HR by reducing manual processes related to onboarding new hires, role changes, and offboarding. It also reduces security concerns related to manual data entry and access based on outdated user data.
Read this article to learn how to configure the Bob Integration.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO à la carte option
- A JumpCloud API key to connect Bob and JumpCloud
- A Bob administrator account
- If you will be configuring SSO, request your company ID from HiBob support
Important Considerations
- We recommend creating a separate JumpCloud administrator account to generate the JumpCloud API key for this integration
- To use the Staged user state in JumpCloud, contact the HiBob’s support team and ask them to change the default behavior. By default, the Bob integration will only create the user in an Active or Suspended (inactive) user state unless they change this default behavior
- We recommend setting your user state default to Staged to make it easier to identify users who have been imported and to complete the onboarding process without granting access. You can learn more about the Staged user state at Manage User States
- When the integration automatically changes the user state of a user from Staged to Active, the integration will not trigger an Activation email. An Activation email must be manually sent from the JumpCloud Admin Portal or a scheduled activation should be set on or before the user’s hire data (Schedule Activation option and Activation Date and Time selected)
- We recommend that you do not set a default password in Bob. Setting a default password prevents you from being able to send an Activation email allowing the user to set their own password. You can set one later in JumpCloud if needed
- Bob users created before the JumpCloud integration was configured will be synchronized in JumpCloud once one of the mapped properties is updated for those users in Bob
- Bob users not in JumpCloud will be created
- Bob users who have already been created in JumpCloud will be updated
- You can request HiBob’s support team to trigger an all employees’ synchronization to JumpCloud
- The Bob integration is managed and supported by the HiBob team. Please contact the HiBob support team first if you encounter issues with the integration
Configuring the Identity Management Integration
To get your JumpCloud API Key
Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.
Once a new API key is generated, this revokes access to the current API key.
- Log in to the JumpCloud Admin Portal with the administrator account you want to use to generate the API key for this integration.
- Click your initials in the top right corner.
- Select My API Key.
- Click on Generate New API Key.
- Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.
This is the only time your API key will be visible to you. Store it somewhere safe, such as the JumpCloud Password Manager, so you can access it later.
To configure the JumpCloud default user state
Review Manage User States for more information.
- Log in to the JumpCloud Admin Portal.
- Navigate to Users > Settings.
- Set Manual / Single User API and CSV Import / Bulk User API Import values to the default user state you prefer for users created by the integration
- Click Save.
To configure the JumpCloud integration in Bob
Review Bob's JumpCloud integration for more information.
- Login to Bob with an administrator account.
- From the left bottom menu, navigate to Settings > Integrations.
- Under Provisioning, select MANAGE in the JumpCloud tile.
- Click + Add connection.
You can add multiple connections.
- Enter a name for your connection and your JumpCloud API key.
- Click Connect.
- In the Provision settings section, click Edit (pencil).
- In When to provision, select when you want users created in JumpCloud:
- On profile creation in Bob
- On start date
- Before start date
- In Who to provision, select the users to be synced to JumpCloud:
- All Employees
- Users meeting a certain condition, or a chosen set of users
- The list can be further filtered to users whose work email address matches a specified domain(s)
- In Default user settings, select the value for What status do users in Jumpcloud start with? This controls in which user state a user is created. The choices are:
- Inactive until start date – creates users in the suspended user start and the automatically changes the user state to active them on their start date. Resources cannot be assigned to users when they are in a suspended user state in JumpCloud
- Active – creates users in the active user state. User have access to all assigned resource when they are in an active user state
- Inactive – creates users in the suspended user state
If you want user created in the Staged user state, which is recommended, you must contact Bob support and have that option enabled.
- Enable or disable:
- Deactivate users in JumpCloud when people become inactive or deleted from Bob
- Use a default password for all users
- Click Save.
- Under Data mapping, select your desired attributes to be sent from Bob into JumpCloud and click Save when finished. You can also create custom attributes to map to JumpCloud by clicking on the + Add field button at the bottom of the section.
Refer to Bob's Map data for integration provisioning article for more information.
Bob User Attributes
| Bob Field Name | JumpCloud Attribute | JumpCloud UI Field Name | Notes |
|---|---|---|---|
| username | Username | Defaults to first part of email address (everything before the @ symbol). This is a required field in JumpCloud. If a user already exists in JumpCloud with a matching email, the Username for that user will not be overwritten by Bob. | |
| First name | firstname | First Name | |
| Surname | lastname | Last Name | |
| Middle name | middlename | Middle Name | |
| Display name | displayname | Display Name | |
| Work phone | phonenumbers[{type:work}] | Work Phone | |
| Work mobile | phonenumbers[{type:cell}] | Work Cell | |
| Title | jobTitle | Job Title | |
| Department | department | Department | |
| Employee ID | employeeIdentifier | Employee ID | |
| Site | location | Location | |
| Employment type | employeeType | Employee Type | |
| Employee status | state | User state | This is a calculated field. For new active users, the user state will be set based on the JumpCloud organization setting. |
Syncing Users
- Users are automatically created in JumpCloud when new hires are added to Bob
- Users are automatically updated when changes are made to employee profiles
- User are automatically deactivated in JumpCloud when employees leave the company if the Deactivation option is enabled
- A manual sync can be triggered at any time:
- Login to Bob with an administrator account
- From the left menu, select Settings > Integrations
- In the Provisioning category, click Manage the JumpCloud thumbnail
- Scroll down to the Manual syncs section
- Click Sync Now
- You can download the manual sync results
- You can see the status of each record in the Synced records section
User Sync Troubleshooting
You can see the status of each user record for which a sync was attempted in the Synced user section. If there was a failure, click on the stacked ellipses menu and choose details. A window will show detailed error message information.
Configuring the SSO Integration
To configure JumpCloud
Read the SAML Configuration Notes KB before you start configuring the connector.
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for and select Bob.
- Select the SSO tab.
- In the ACS URLs section:
- Replace YOUR_ID with your company ID provided by HiBob support
- Ensure that Declare Redirect Endpoint is checked
- Select save.
Download the JumpCloud metadata file
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click Export Metadata.
- The JumpCloud-<applicationname>-metadata.xml will be exported to your local Downloads folder.
Metadata can also be downloaded from the Configured Applications list. Search for and select the application in the list and then click Export Metadata in the top right corner of the window.
To configure Bob
- Provide HiBob support the exported Metadata file to setup SSO on the HiBob side.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO authentication workflow(s)
IdP-initiated
- Access the JumpCloud User Console
- Select the application’s tile
- The application will launch and login the user
SP-initiated
- Navigate to your Service Provider application URL
- You will be redirected to log in to the JumpCloud User Portal
- The browser will be redirected back to the application and be automatically logged in
Removing the Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration or Bookmark
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO or Bookmark tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO or Deactivate Bookmark.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.
In this Article