Subscribe to Help Center RSS FeedThe Custom SCIM Identity Management integration allows you to provision, update, and deprovision users and groups from JumpCloud in applications that support SCIM. Leverage this integration to centralize user lifecycle management, sync user data, manage groups, and control access and authorization from the JumpCloud Admin Portal. Create the integrations that are important for your organization if we haven't already created them for you. Learn more about Identity Management Connectors.
Unlike our pre-built Identity Management integrations, the custom integration provides you with a template for configuring a custom identity management integration from JumpCloud to applications that supports a SCIM API key/token integration.
Prerequisites
- SCIM versions 1.1 or 2.0 support
- Uses one of the following authentication types:
- SCIM API Key
- Bearer Token
- Does not require any special attribute mapping or extension schemas
Important Considerations
- This integration is for provisioning, managing, and deprovisioning user identities and groups in other applications from JumpCloud
- The custom SCIM integration option shown on the Identity Management tab for a specific application is not an indication that SCIM is supported. The option allows you to test and determine if an integration can be configured
- A test user and test group are created to test the integration. Both will be deleted if the DELETE method is supported by the service provider. If the DELETE method is not supported for users, then the test user will be deactivated and will have to be manually deleted if allowed by the service provider
- You provide a test user account to allow validation with applications that require verified domains for users
- If you’re setting up a custom SCIM identity management connector for an application that isn’t already in the JumpCloud application catalog, please note the following:
- If the application doesn’t support or require SAML SSO, create a Bookmark and add the custom integration to the bookmark
- If the application does require a SAML SSO connection for their SCIM integrations, or SAML SSO is supported and you would like to implement it along with identity management, create a SAML 2.0 custom connector
- User uniqueness is determined through a combination of ID, email, and username
- Group syncing will only work if the Service Provider supports Group Creation, Group Updates, and Group Deletion. If a service provide only supports some of those actions, turn Off the Enable management of User Groups and Group Membership in this application option. Otherwise, the integration will fail with a group related error when you try to activate the integration
- If a service provider does not support users being members of multiple groups, group membership syncing may fail if a user is a member of more than one group associated with the custom SCIM identity management integration
- It there is already a connection between JumpCloud and the service provider for the user, we use the ID we have stored
- If there is not already a connection for this user, we use their email to try to sync
- If we aren’t able to get the user by email, we use their username
- When checking by email and username we assert that there’s only one (1) user, otherwise, we don’t provision the user
Attribute Considerations
- A default set of attributes are managed for users. See the Attribute Mappings section for more details
- For new integrations, sending passwords is disabled by default. Only enable this option if you are not using SSO or the service provider requires a password change and you are comfortable with your service provider’s handling of your sensitive information.
- For integrations created before July 2022, sending passwords is enabled. This attribute should be checked and adjusted if this is not the desired setting
- You can include, exclude, or change the default attribute mappings
- Custom attributes and attributes not listed in the table below are not currently supported
- The externalId attribute is not sent from JumpCloud in the SCIM v2.0 implementation. If a service provider is using the externalId attribute, the value they set is kept and respected. The externalId is an optional attribute as outlined in the SCIM Core Schema definition. See the reference here
Configuring a Custom SCIM Identity Management Connector
From here, there are many different ways to configure; through a pre-existing configured application, manually configure through a new SAML 2.0 connector or Bookmark. You can also configure through adding a new application connector or manually.
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
To configure through an existing application, SAML 2.0 connector or Bookmark
- Navigate to SSO Applications > Configured Applications and select an existing configured application that doesn’t have a pre-built Identity Management integration (i.e., Abstract.) Then skip to Manually configure a Custom SCIM Identity Management Connector.
Note:
If Identity Management is listed in the Supported Functionality column, the application already has a pre-built SCIM Identity Management integration built by JumpCloud. Find a connector without this to continue.
To configure through a new application integration
- Click + Add New Application to add a new application.
- At the bottom of the page, click Custom SAML App.
- Configure SAML SSO. Learn more in SSO Using Custom SAML Application Connectors.
- Next, skip to the section Manually configure a Custom SCIM Identity Management Connector.
To configure through a new Bookmark
- Click + Add New Application to add a new application.
- At the bottom of the page, click URL Bookmark.
- Configure Bookmark, learn more about Connect Apps Using Bookmarks.
- Next, skip to the section Manually configure a Custom SCIM Identity Management Connector.
To configure through a new application connector
- Click + Add New Application to add a new application, then click configure for the application that you would like to add Identity Management to.
Note:
If Identity Management is listed in the Supported Functionality column, the application already has a pre-built SCIM Identity Management integration built by JumpCloud. Find a connector without this to continue.
- Click the General Info tab and add a Display Label, Description, and replace the logo if this is a new application configuration.
- Configure SAML SSO (Single Sign On) if the application service provider requires it to use SCIM for identity management.
To manually configure a custom SCIM Identity Management Connector
- Click the Identity Management tab.
- Review the text at the top of Configuration Settings section regarding how the testing is done and any potential manual cleanup that may be required.
- Select the SCIM Version and enter the service provider Base URL and Token.
- Click test connection.
- A connection to the service provider is attempted.
- You will receive one of the following notifications:
- Identity Management integration has been successfully verified. This will trigger a GET /users request and a GET/groups request sent to verify users and groups support by the service provider.
- There was a problem activating Identity Management. This will trigger a detailed error message to appear. The response to the GET/groups endpoint determines if groups are supported and whether the groups option or an error is shown in the Groups section.
- You will receive one of the following notifications:
- If groups aren’t supported by the service provider, you receive an error message.
- If Group Management isn’t supported by the service provider, you receive a message under the Group Management section saying, Group Management is not available for this service provider. {Error message. Group test failed}.
Note:
If the error message is longer than 200 characters, click learn more to open the modal with the full error message.
- If Group Management is supported by the service provider, you receive a message under the Group Management section saying, This service supports groups. Select this to manage group and group membership in [your integration].
- Leave Enable management of User Groups and Group Membership in this application option On to manage and sync groups and group members.
- Slide the option to Off if you only want to manage user identities and not groups or group membership.
- Click activate.
- A change, update, and delete will be attempted for a test user.
- If groups are supported, a change, update, and delete will be attempted for a test group.
- If all tests pass without any errors, a confirmation notification will slide out from the right side of the window and there will be a Deactivate IdM Connection in the left panel under the Identity Management section.
- If one or more errors occur:
- The error responses will be shown above the test and activate buttons, and the activate button will remain disabled. These errors will need to be reviewed and researched with the application service provider.
Note:
If the error message is longer than 200 characters, click learn more to open the modal with the full error message.
- The Attribute Mapping section will appear above the test and activate buttons. This section allows you to map or exclude a subset of the SCIM core attributes if any of the errors are related to SCIM core attributes.
- Once all errors have been addressed, click activate.
- If all tests pass without any errors, a confirmation notification will slide out from the right side of the window and there will be a Deactivate IdM Connection in the left panel under the Identity Management section.
- Your service provider should work with you to provide remediation options you can take to address the errors.
- If there are custom attributes and schema extensions, the integration might not be possible with a custom integration. You can submit a feature request to have a pre-built connector created, if this is the case. From the top navigation bar of the Admin Portal, select Support > submit an idea.
Attribute Mappings
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations.
Learn about JumpCloud Properties and how they work with system users in our API.
Custom SCIM User Attributes
| JumpCloud UI | JumpCloud Attribute | SCIM Attribute | Notes |
|---|---|---|---|
| Company Email | userName | - | |
| Company Email | emails.work | - | |
| First Name | firstname | name.givenName | - |
| Middle Name | middlename | name.middleName | - |
| Last Name | lastname | name.familyName | - |
| Display Name | displayname | displayName | If Display Name isn't populated, we send 'First Name' + 'Last Name' |
| Work Address | addresses: type[=work] | addresses.type | We only send one address. Work is sent by default. If the work address is empty, then it's sent to the personal. If there aren't any addresses, we don't send this attribute. |
| Work Street Address | addresses: streetAddress | addressed.streetAddress | - |
| Work City | addresses: locality | addresses.locality | - |
| Work State | addresses: postalCode | addresses.region | - |
| Work Postal Code | addresses: postalCode | addresses.postalCode | - |
| Work Country | addresses: country | addresses.country | - |
| Work Phone | phoneNumbers: type [=work phone 'business'] phoneNumbers: number | phoneNumbers.[obj] | We only send one phone number. Work is sent by default. If the work phone if empty, then it's sent to the first personal phone number. If there aren't any phone numbers, we don't send this attribute. |
| Password | **password** | password | unhashed (send over secure communications channels). |
| activated | activated | active:true | - |
| suspended | suspended | active:false | - |
| Employee Type | employeeType | userType | - |
| Job Title | jobTitle | title | - |
| User Groups | - | groups:[obj] | We send all user groups that are associated with the application to which the user is a member. |
| Employee ID | employeeIdentifier | employeeNumber | - |
| Company | company | organization | - |
| Department | department | department | - |
Group Attributes
| JumpCloud Property | JumpCloud UI Field Name | SCIM v2 Mapping | Application Value |
|---|---|---|---|
| name | Name | displayName | Name |
Group Management Considerations
Enabling Group Management
You must select the Enable management of User Groups and Group Membership in this application option to manage groups and group membership in the application from JumpCloud.
Group Provisioning and Syncing
- Empty groups are not created
- JumpCloud takes over management of existing groups in the application when the user group name in JumpCloud matches the name of the group in the application
- All user groups associated with the application in JumpCloud are synced. Syncing occurs whenever there is a membership or group change event
- Group renaming is supported
- If a user group is disassociated from the application in JumpCloud, syncing immediately stops and the group is left as-is in the application. All members of that user group are deactivated in the application unless they are associated with another active application group that is managed from JumpCloud
Group Deletion
- Managed groups deleted in JumpCloud are deleted in the application
- All members of the deleted group are deactivated in the application, unless they are associated with another active application group that is managed from JumpCloud
Disabling Group Management
- You can disable group and group membership management by unchecking the Enable management of User Groups and Group Membership in this application option
- The managed groups and group membership are left as-is in the application
- JumpCloud stops sending group membership information for the user, but the user’s identity will continue to be managed from JumpCloud
Editing a Custom SCIM Identity Management Connector
Warning:
Enter a test email address for changing any settings, i.e., attributes or any other changes, in an active SCIM configuration.
- Open the application with the Custom SCIM Identity Management connector you want to edit.
- Click the Identity Management tab.
- Click into any of the fields
- Make your desired changes.
- If you want to cancel your changes, click the revert settings link.
- Click update.
- If you did not update the token, you will be prompted to enter your token again and click continue
- A change, update, and delete will be attempted for a test user.
- If all tests pass without any errors, a confirmation notification will slide out from the right side of the window and there will be a Deactivate IdM Connection in the left panel under the Identity Management section.
- If one or more errors occur:
- The error responses will be shown above the test and activate buttons, and the activate button will remain disabled. These errors will need to be reviewed and researched with the application service provider.
Note:
If the error message is longer than 200 characters, click learn more to open the modal with the full error message.
- The Attribute Mapping section will appear above the test and activate buttons. This section allows you to map or exclude a subset of the SCIM core attributes if any of the errors are related to SCIM core attributes.
- Your service provider should work with you to provide remediation options you can take to address the errors.
- If there are custom attributes and schema extensions, the integration might not be possible with a custom integration. You can submit a feature request to have a pre-built connector created, if this is the case. From the top navigation bar of the Admin Portal, select Support > submit an idea.
- Once all errors have been addressed, click update
- There will be a Deactivate IdM Connection in the left panel under the Identity Management section.
Removing the IdM Integration
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
- You can now delete the application.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.
Back to Top
In this Article