Identity Management using a Custom SCIM Integration

The Custom SCIM Identity Management integration allows you to provision, update, and deprovision users and groups from JumpCloud in applications that support SCIM. Leverage this integration to centralize user lifecycle management, sync user data, manage groups, and control access and authorization from the JumpCloud Admin Portal. Create the integrations that are important for your organization if we haven't already created them for you. 

Unlike our pre-built Identity Management integrations, the custom integration provides you with a template for configuring a custom identity management integration from JumpCloud to applications that supports a SCIM API key/token integration.

Prerequisites:

  • You will need to research each service provider to which you want to add a SCIM Identity Management integration and verify the following:
    • SCIM versions 1.1 or 2.0 support.
    • One of the following authentication types:
      • SCIM API Key
      • Bearer Token
    • There are no special attribute mapping or extension schemas required.

Considerations:

  • This integration is for provisioning, managing, and deprovisioning user identities and groups in other applications from JumpCloud.
  • The custom SCIM integration option shown on the Identity Management tab for a specific application is not an indication that SCIM is supported.  The option allows you to test and determine if an integration can be configured.
  • A test user and test group are created to test the integration. Both will be deleted if the DELETE method is supported by the service provider. If the DELETE method is not supported for users, then the test user will be deactivated and will have to be manually deleted if allowed by the service provider.
    • You provide a test user account to allow validation with applications that require verified domains for users.
  • If you’re setting up a custom SCIM identity management connector for an application that isn’t already in the JumpCloud application catalog, please note the following:
    • If the application doesn’t support or require SAML SSO, create a Bookmark and add the custom integration to the bookmark. Learn more: Connect Apps Using Bookmarks
    • If the application does require a SAML SSO connection for their SCIM integrations, or SAML SSO is supported and you would like to implement it along with identity management, create a SAML 2.0 custom connector.
  • The externalId attribute is not sent from JumpCloud in the SCIM v2.0 implementation.  If a service provider is using the externalId attribute, the value they set is kept and respected.  The externalId is an optional attribute as outlined in the SCIM Core Schema definition. See the reference here
  • User uniqueness is determined through a combination of ID, email, and username.
    • It there is already a connection between JumpCloud and the service provider for the user, we use the ID we have stored. 
    • If there is not already a connection for this user, we use their email to try to sync. 
    • If we aren’t able to get the user by email, we use their username. 
    • When checking by email and username we assert that there’s only one (1) user, otherwise, we don’t provision the user.
  • Group syncing will only work if the service provider supports Group Creation, Group Updates, and Group Deletion. If a service provide only supports some of those actions, turn Off the Enable management of User Groups and Group Membership in this application option. Otherwise, the integration will fail with a group related error when you try to activate the integration.
  • If a service provider does not support users being members of multiple groups, group membership syncing may fail if a user is a member of more than one group associated with the Custom SCIM identity management integration.

Group and Group Membership Management Considerations

Important:

Not all service providers support groups. The following information is only for service providers that do support groups. The functionality outlined below is what JumpCloud can do if allowed by the service provider. Learn more about groups below.

You must select the Enable management of User Groups and Group Membership in this application option to manage groups and group membership in your custom SCIM integration.

Group Syncing:

  • JumpCloud will attempt to create a new group if the User Group name in JumpCloud doesn’t exist in the application.
  • JumpCloud can take over management of existing groups in the application, if allowed by the service provider, when the User Group names in JumpCloud match the names of groups in the application.
  • JumpCloud will attempt to sync all user groups associated with the Custom SCIM identity management integration. Syncing occurs whenever there is a membership or group name change event in JumpCloud.
  • JumpCloud will change the name of the group in the application when name of the User Group is changed in JumpCloud
  • JumpCloud supports users being members of multiple groups and will send all group memberships when syncing.  
  • Syncing immediately stops when a group is disassociated/unbound from the AWS SSO application connector.
    • The group in the application will remain exactly as it was at the point of the dissociation/unbinding.  
    • Users who were only associated with the application through the disassociated/unbound group will be deactivated.
    • Users who were associated with multiple groups will remain members of the disassociated/unbound group. Their membership will only be updated for groups that are still associated with the application in JumpCloud.

Group Provisioning:

  • JumpCloud will attempt to create empty groups.

Group Deletion:

  • Managed groups deleted in JumpCloud will be deleted in the application.
  • All members of a deleted managed group are disabled in the application, unless they are associated with another active JumpCloud managed group in the application.

Group Permissions and Access:

  • Permissions and access granted to the groups can be inherited by users who are added to the group.

Disabling Group Management:

  • You can disable group and group membership management by unchecking the Enable management of User Groups and Group Membership in this application option.
  • The managed groups and group membership are left as-is in the application.
  • JumpCloud stops sending group membership information for the user, but the user’s identity will continue to be managed from JumpCloud.

Attribute Considerations for Custom SCIM integration:

  • For new integrations, sending passwords is disabled by default. Only enable this option if you are not using SSO or the service provider requires a password change and you are comfortable with your service provider’s handling of your sensitive information.
  • For integrations created before July 2022, sending passwords is enabled. This attribute should be checked and adjusted if this is not the desired setting.
  • You can include, exclude, or change the default attribute mappings
  • Custom attributes and attributes not listed in the table below are not currently supported

Configuring a Custom SCIM Identity Management Connector 

From here, there are many different ways to configure; through a pre-existing configured application, manually configure through a new SAML 2.0 connector or Bookmark. You can also configure through adding a new application connector or manually.

To configure an Identity Management Connector for Custom SCIM:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.

To configure through an already configured application, SAML 2.0 connector or Bookmark:

  1. Navigate to SSO Applications > Configured Applications list and select an existing configured application that doesn’t have a pre-built Identity Management integration (i.e., Abstract.) Then skip to the section, Manually configuring an Identity Management Connector.

Note:

If Identity Management is listed in the Supported Functionality column, the application already has a pre-built SCIM Identity Management integration built by JumpCloud. Find a connector without this to continue. 

To configure through a New Application Integration:

  1. Click + Add New Application to add a new application.
  2. At the bottom of the page, click Custom SAML App
  3. Configure SAML SSO. Learn more in SSO Using Custom SAML Application Connectors.
  4. Next, skip to the section Manually configure a Custom SCIM Identity Management Connector

To configure through a new Bookmark:

  1. Click + Add New Application to add a new application.
  2. At the bottom of the page, click URL Bookmark.
  3. Configure Bookmark, learn more about Connect Apps Using Bookmarks.
  4. Next, skip to the section Manually configure a Custom SCIM Identity Management Connector

To configure through a new application connector:

  1. Click + Add New Application to add a new application, then click configure for the application that you would like to add Identity Management to.

Note:

If Identity Management is listed in the Supported Functionality column, the application already has a pre-built SCIM Identity Management integration built by JumpCloud. Find a connector without this to continue. 

  1. Click the General Info tab and add a Display LabelDescription, and replace the logo if this is a new application configuration.
  2. Configure SAML SSO (Single Sign On) if the application service provider requires it to use SCIM for identity management.

To manually configure a Custom SCIM Identity Management Connector:

  1. Click the Identity Management tab.
  2. Review the text at the top of Configuration Settings section regarding how the testing is done and any potential manual cleanup that may be required.
  3. Select the SCIM Version and enter the service provider Base URL and Token.
  4. Click test connection.
  5. A connection to the service provider is attempted.
    • You will receive one of the following notifications:
      • Identity Management integration has been successfully verified. This will trigger a GET /users request and a GET/groups request sent to verify users and groups support by the service provider.
      • There was a problem activating Identity Management. This will trigger a detailed error message to appear. The response to the GET/groups endpoint determines if groups are supported and whether the groups option or an error is shown in the Groups section.
  6. If groups aren’t supported by the service provider, you receive an error message.
  7. If Group Management isn’t supported by the service provider, you receive a message under the Group Management section saying, Group Management is not available for this service provider. {Error message. Group test failed}.

Note:

If the error message is longer than 200 characters, click learn more to open the modal with the full error message.

  1. If Group Management is supported by the service provider, you receive a message under the Group Management section saying, This service supports groups. Select this to manage group and group membership in [your integration].
    • Leave  Enable management of User Groups and Group Membership in this application option On to manage and sync groups and group members.  
    • Slide the option to Off  if you only want to manage user identities and not groups or group membership.
  2. Click activate
  3. changeupdate, and delete will be attempted for a test user. 
  4. If groups are supported, a change, update, and delete will be attempted for a test group.
  5. If all tests pass without any errors, a confirmation notification will slide out from the right side of the window and there will be a Deactivate IdM Connection in the left panel under the Identity Management section.
  6. If one or more errors occur:
    • The error responses will be shown above the test and activate buttons, and the activate button will remain disabled. These errors will need to be reviewed and researched with the application service provider.
      • Note: If the error message is longer than 200 characters, click learn more to open the modal with the full error message. 
    • The Attribute Mapping section will appear above the test and activate buttons. This section allows you to map or exclude a subset of the SCIM core attributes if any of the errors are related to SCIM core attributes.
      • Your service provider should work with you to provide remediation options you can take to address the errors. 
      • If there are custom attributes and schema extensions, the integration might not be possible with a custom integration.  You can submit a feature request to have a pre-built connector created, if this is the case. From the top navigation bar of the Admin Portal, select Support > submit an idea.
  7. Once all errors have been addressed, click activate
  8. If all tests pass without any errors, a confirmation notification will slide out from the right side of the window and there will be a Deactivate IdM Connection in the left panel under the Identity Management section.

To edit a Custom SCIM Identity Management Connector :

  1. Open the application with the Custom SCIM Identity Management connector you want to edit.  
  2. Click the Identity Management tab.
  3. Click into any of the fields
  4. Make your desired changes. 
  5. If you want to cancel your changes, click the revert settings link. 
  6. Click update
  7. If you did not update the token, you will be prompted to enter your token again and click continue
  8. changeupdate, and delete will be attempted for a test user. 
  9. If all tests pass without any errors, a confirmation notification will slide out from the right side of the window and there will be a Deactivate IdM Connection in the left panel under the Identity Management section.
  10. If one or more errors occur:
    • The error responses will be shown above the test and activate buttons, and the activate button will remain disabled. These errors will need to be reviewed and researched with the application service provider.

Note:

If the error message is longer than 200 characters, click learn more to open the modal with the full error message.

  1. The Attribute Mapping section will appear above the test and activate buttons. This section allows you to map or exclude a subset of the SCIM core attributes if any of the errors are related to SCIM core attributes.
    • Your service provider should work with you to provide remediation options you can take to address the errors. 
    • If there are custom attributes and schema extensions, the integration might not be possible with a custom integration.  You can submit a feature request to have a pre-built connector created, if this is the case. From the top navigation bar of the Admin Portal, select Support > submit an idea.
  2. Once all errors have been addressed, click update
  3. There will be a Deactivate IdM Connection in the left panel under the Identity Management section.

Deactivating an Identity Management Integration 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO.
  3. Search for the application that you’d like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand side, click Deactivate IdM connection under the section Identity Management.
  5. Click confirm to deactivate Identity Management for the application. 

Attribute Mappings

The following table lists attributes that JumpCloud sends to your custom SCIM integration. 

See Attribute Considerations for Custom SCIM integration above for more information regarding attribute mapping considerations. 

Learn about JumpCloud Properties and how they work with system users in our API

Important:

The table below shows the only default mappings that will work.

JumpCloud UI JumpCloud Attribute SCIM Attribute Notes
Company Email email userName -
Company Email email emails.work -
First Name firstname name.givenName -
Middle Name middlename name.middleName -
Last Name lastname name.familyName -
Display Name displayname displayName If Display Name isn't populated, we send 'First Name' + 'Last Name'
Work Address addresses: type[=work] addresses.type We only send one address. Work is sent by default. If the work address is empty, then it's sent to the personal. If there aren't any addresses, we don't send this attribute.
Work Street Address addresses: streetAddress addressed.streetAddress -
Work City addresses: locality addresses.locality -
Work State addresses: postalCode addresses.region -
Work Postal Code addresses: postalCode addresses.postalCode -
Work Country addresses: country addresses.country -
Work Phone phoneNumbers: type [=work phone 'business'] phoneNumbers: number phoneNumbers.[obj] We only send one phone number. Work is sent by default. If the work phone if empty, then it's sent to the first personal phone number. If there aren't any phone numbers, we don't send this attribute.
Password **password** password unhashed (send over secure communications channels).
activated activated active:true -
suspended suspended active:false -
Employee Type employeeType userType -
Job Title jobTitle title -
User Groups - groups:[obj] We send all user groups that are associated with the application to which the user is a member.
Employee ID employeeIdentifier employeeNumber -
Company company organization -
Department department department -

Troubleshooting

  • If you are getting unmarshal errors, that typically indicates that we are expecting one data type and the service provider is sending another data type. You will need to contact the service provider to troubleshoot further. Our implementation follows the SCIM schema standard. Per section 2.2, if the data type is not specifically stated, we use the data type of “string.”
  • If you are getting unmarshal number errors related to user.id, this means that the service provider is sending the id as an integer.  We only support the id as type string in adherence with the SCIM schema definition.  You will need to contact the service provider to determine if they can also send that value as a string. 
  • If you are configuring a custom SCIM integration with Miro, you will need to do the following:
    • Remove the trailing ‘/’ from the Base URL value.  The value should be https://miro.com/api/v1/scim.
    • Turn Off the Enable management of User Groups and Group Membership in this application option.  Miro currently only supports “Group Updates”.  JumpCloud is currently only able to support a custom SCIM integration with service providers that support Group Creation, Group Updates, and Group Deletion.
  • If you are configuring a custom SCIM integration with Databricks, you will need to do the following:
    • Turn Off the Enable management of User Groups and Group Membership in this application option. JumpCloud currently requires Group Creation, Group Updates, and Group Deletion to enable group management for a service provider. Databricks does not support Group Updates.
  • If you receive 404s for each of the group tests, then the service provider does not support groups. You will need to disable the Off the Enable management of User Groups and Group Membership in this application option and try and activate again.

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case