Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- Single sign-on for AWS IAM Identity Center is recommended, but not required, when creating an Identity Management integration with AWS IAM Identity Center<\/li>\n\n\n\n
- SAML is the recommended method for managing secure user authentication into AWS IAM Identity Center<\/li>\n\n\n\n
- For the connector to work, usernames in AWS IAM Identity Center need to match email addresses in JumpCloud<\/li>\n\n\n\n
- If you need to renew your token, you must deactivate the Identity Management integration<\/a> first, update your token<\/a> and then reactivate the integration<\/li>\n\n\n\n
- If you deactivate Identity Management integration on an AWS IAM Identity Center application connector, you will need to generate a new access token if you want to activate it again<\/li>\n\n\n\n
- If you delete an integrated AWS IAM Identity Center application from your Applications list, the application is removed from JumpCloud, but any previously bound users remain active in AWS IAM Identity Center. These users will be able to log in to AWS IAM Identity Center with the password they used prior to enablement of SSO to the AWS IAM Identity Center application from your JumpCloud account<\/li>\n\n\n\n
- When a user is deleted in JumpCloud, the user is deleted from AWS IAM Identity Center<\/li>\n\n\n\n
- Once the Identity Source is changed to \u201cExternal Identity Provider\u201d and SCIM Provisioning is enabled in AWS IAM Identity Center, you can no longer create or update users and groups in AWS IAM Identity Center:\n
- \n
- To manage AWS IAM Identity Center users who were created before SCIM provisioning was enabled, you need to add them in JumpCloud and add them to a User Group that is associated with the AWS IAM Identity Center application connector<\/li>\n\n\n\n
- To manage AWS IAM Identity Center groups that were created before SCIM provisioning was enabled, in JumpCloud, you have to select the Enable management of User Groups and Group Membership in this application. Then, create user groups with the same name as your existing AWS IAM Identity Center groups, and add those groups to the AWS IAM Identity Center application connector<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- AWS IAM Identity Center is only capable of returning 50 groups from their ListGroups API<\/li>\n\n\n\n
- Group names in JumpCloud cannot have a \u2018:\u2019 character. Otherwise, they won’t sync<\/li>\n\n\n\n
- The username in AWS IAM Identity Center must match the email address in JumpCloud. If users were manually created in AWS IAM Identity Center before JumpCloud was configured as the external identity source, the username must be updated to the email address specified for that user in JumpCloud. If the username is not a valid JumpCloud email, then the following will occur:\n
- \n
- Jumpcloud won’t be able to take over management of the user in AWS IAM Identity Center<\/li>\n\n\n\n
- The user won’t be able to log in via SSO<\/li>\n\n\n\n
- The user encounters an invalid MFA credentials error<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Attribute Considerations<\/strong><\/p>\n\n\n\n
- \n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details<\/li>\n\n\n\n
- If the display name is updated in JumpCloud, AWS IAM Identity Center won’t overwrite it<\/li>\n\n\n\n
- When you update a Group name in the JumpCloud administrator portal, it will update in AWS IAM Identity Center as well<\/li>\n\n\n\n
- When a new user is provisioned to AWS IAM Identity Center, the value of the displayName<\/kbd> attribute is set to combine the firstName<\/kbd> and lastName<\/kbd> attributes.\u00a0For example, the attribute displayName<\/kbd> = firstName<\/kbd> + lastName<\/kbd>:\n
- \n
- firstName<\/kbd> = \u201cJohn\u201d<\/li>\n\n\n\n
- lastName <\/kbd>= \u201cDoe\u201d<\/li>\n\n\n\n
- displayName <\/kbd>= \u201cJohn Doe\u201d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nIf this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure AWS IAM Identity Center 1<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center management console. <\/li>\n\n\n\n
- Under Enable<\/strong> IAM Identity Center, <\/strong>choose Enable.<\/strong><\/li>\n\n\n\n
- If there is not an existing AWS organization, click Create AWS organization<\/strong> to create<\/a> one. <\/li>\n\n\n\n
- Under Recommended setup steps<\/strong>, select Choose your identity source<\/strong>.<\/li>\n\n\n\n
- Next to Identity Source<\/strong>, click Change<\/strong>. <\/li>\n\n\n\n
- Select External identity provider<\/strong>.<\/li>\n\n\n\n
- In the Service provider metadata<\/strong> section, click download metadata file<\/strong>. <\/li>\n\n\n\n
- Keep the AWS console open because you need to access it for To configure AWS IAM Identity Center 2<\/a>. <\/li>\n<\/ol>\n\n\n\n
To configure JumpCloud<\/strong> <\/h3>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \nDo not <\/strong>select Amazon Web Services (IAM) for this connector.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab.<\/li>\n\n\n\n
- Under Service Provider Metadata<\/strong>, click Upload Metadata.<\/strong><\/li>\n\n\n\n
- Browse to the location of the Service Provider Metadata downloaded from the previous section and click Open<\/strong>.<\/li>\n\n\n\n
- Once this file is uploaded, all fields should populate automatically.<\/li>\n\n\n\n
- Click Export Metadata<\/strong> under JumpCloud Metadata<\/strong>. <\/li>\n<\/ol>\n\n\n\n\n\n
- \n
- Optionally, if you want to force SP Initiated Authentication, in the Login URL<\/strong> field, replace the value with your Login URL. <\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nThis is the URL provided by Amazon to log directly into your company-specific AWS access portal. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To configure AWS IAM Identity Center<\/strong><\/strong> 2<\/strong><\/h3>\n\n\n\n
- \n
- Go back to the AWS IAM Identity Center management console.<\/li>\n\n\n\n
- In the Identity provider metadata<\/strong> section, click Choose file<\/strong>, and upload the JumpCloud metadata file. <\/li>\n\n\n\n
- Click Next: Review<\/strong>.<\/li>\n\n\n\n
- In the text box, type ACCEPT<\/em> to change your identity source. <\/li>\n\n\n\n
- Click Change identity source<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration<\/strong> panel or from the Groups Configuration<\/strong> panel. <\/p>\n\n\n\n
To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the <\/a>JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Select the User Groups<\/strong> tab. If you need to create a new group of users, see Get Started: User Groups<\/a>.<\/li>\n\n\n\n
- Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To learn how to authorize user access from the Groups Configuration<\/strong> panel, see Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n
Validating SSO user authentication workflow(s)<\/strong><\/h2>\n\n\n\n
IdP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Access the JumpCloud User Console<\/a><\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- JumpCloud asserts the user’s identity to the SP and is authenticated without the user having to log in to the application<\/li>\n<\/ul>\n\n\n\n
SP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Go\u00a0to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
This varies by SP.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials<\/li>\n\n\n\n
- After the user is logged in successfully, they are redirected\u00a0back to the SP and automatically logged in<\/li>\n<\/ul>\n\n\n\n
Configuring the Identity Management Integration <\/strong><\/h2>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the Identity Management<\/strong> tab.<\/li>\n\n\n\n
- Click configure<\/strong>, and keep the window available. <\/li>\n\n\n\n
- In a new window, log in to the AWS administrator console. <\/li>\n\n\n\n
- Go to All Services > Security, Identity & Compliance<\/strong>, and select AWS Single Sign-On<\/strong>.<\/li>\n\n\n\n
- Under Recommended setup steps<\/strong>, select Choose your identity provider<\/strong>.<\/li>\n\n\n\n
- In the Identity source<\/strong> section, select Enable automatic provisioning<\/strong>.<\/li>\n\n\n\n
- Copy the SCIM Endpoint URL<\/strong> from the Inbound automatic provisioning<\/strong> modal.<\/li>\n\n\n\n
- Go back to the AWS IAM Identity Center application connector in JumpCloud.\n
- \n
- Click Enable management of User Groups and Group Membership in this application<\/strong> if you want to provision, manage, and sync groups.<\/li>\n\n\n\n
- *SP Base URL<\/strong>: Paste the SCIM Endpoint URL you copied from AWS. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Go back to the AWS IAM Identity Center Inbound automatic provisioning modal. Click Show token<\/strong>, then copy the token. Important: When you click Show token, you have to keep the window open until you have copied and entered the token into JumpCloud. After you close the Inbound automatic provisioning modal, it doesn\u2019t show you this information again.<\/li>\n\n\n\n
- Go back to the AWS IAM Identity Center application connector in JumpCloud. *SP SPI Token: Paste the Access token you copied from AWS.<\/li>\n\n\n\n
- Click Activate<\/strong>. <\/li>\n\n\n\n
- You receive a confirmation that the Identity Management integration has been successfully verified and a Public Certificate is created. You can download the certificate from here.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n\n\n\n
- After the application is saved, it appears in the SSO Applications list. You can now connect users to the application in JumpCloud to provision them in AWS IAM Identity Center. Learn how to Authorize Users to an SSO Application<\/a>.<\/li>\n<\/ol>\n\n\n\n
To configure Attribute Based Access Control (ABAC)<\/strong><\/h3>\n\n\n\n
AWS IAM Identity Center supports the use of attributes to control access to your AWS resources across multiple AWS accounts. This authorization strategy is known as attribute-based access control (ABAC). Within the AWS IAM Identity Center console, you can define fine-grained permissions and policies based on attributes sent from JumpCloud. Attributes used for ABAC are called tags in AWS. Using user attributes as tags in AWS helps you simplify the process of creating and managing permissions in AWS and allows you to extend your zero trust security model to your AWS resources. <\/p>\n\n\n\n
Configuring ABAC in AWS IAM Identity Center is done through the Attributes for access controls page in the AWS IAM Identity Center console. There are two ways to configure ABAC. You can use SCIM user attributes or SAML attributes. <\/p>\n\n\n\n
Important: In scenarios where the same attributes are sent to AWS IAM Identity Center through SAML and SCIM, the SAML attributes values take precedence in access control decisions.<\/p>\n\n\n\n
To enable ABAC in AWS IAM Identity Center<\/strong><\/h3>\n\n\n\n
To use attributed based access control (ABAC), you need to enable the Attributes for access control feature in AWS IAM Identity Center console. For more information about how to do this, see Enable and configure attributes for access control<\/a><\/p>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center console. <\/li>\n\n\n\n
- Click Settings <\/strong>from the left hand navigation panel.<\/li>\n\n\n\n
- On the Settings <\/strong>page, under Identity source<\/strong>, next to Attributes for access control, click Enable<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To configure ABAC Using SCIM User Attributes<\/strong><\/h3>\n\n\n\n
You can select user attributes sent to AWS IAM Identity Center via the JumpCloud SCIM Identity Management integration to be used as attributes to manage access (ABAC) to your AWS resources. Then, you create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from JumpCloud. For more information about which user attributes are passed from JumpCloud, see Attribute Mappings<\/a>, below. For more information about configuring attributes for access controls, see Enable and configure attributes for access control<\/a>.<\/p>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center console.<\/li>\n\n\n\n
- Click Settings <\/strong>from the left hand navigation panel.<\/li>\n\n\n\n
- On Settings > Identity source<\/strong>, next to Attributes for access control, click View details<\/strong>.<\/li>\n\n\n\n
- Enter a Key value.\n
- \n
- Note: You can provide any name you want. Key<\/em> represents the name you are giving to the attribute for use in policies and is case sensitive. You need to specify that exact name in the policies you author for access control. The Key must also be named exactly the same in your aws:PrincipalTag condition key (i.e., “ec2:ResourceTag\/CostCenter”: “${aws:PrincipalTag\/CostCenter}”)<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Select the Value<\/strong>.<\/li>\n\n\n\n
- Click Save changes<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To configure ABAC using SAML Attributes<\/strong><\/h3>\n\n\n\n
You can configure SAML attributes for AWS IAM Identity Center to manage access to your AWS resources. The attributes that you define in JumpCloud will be passed in a SAML assertion to AWS IAM Identity Center. You then create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from JumpCloud. <\/p>\n\n\n\n
- \n
- Open the JumpCloud AWS Single Sign-On application that you installed as part of configuring SAML for JumpCloud. Go to USER AUTHENTICATION > SSO.<\/li>\n\n\n\n
- Click the AWS Single Sign-On application, and then click the second tab, SSO.<\/li>\n\n\n\n
- At the bottom of this tab you have User Attribute Mapping, click Add new attribute. <\/li>\n\n\n\n
- To use one of the predefined JumpCloud Attribute values:\n
- \n
- In the Service Provide Attribute Name field, enter https:\/\/aws.amazon.com\/SAML\/Attributes\/AccessControl:AttributeName replacing AttributeName with the name of the attribute you are expecting in AWS IAM Identity Center. For example, https:\/\/aws.amazon.com\/SAML\/Attributes\/AccessControl:Region<\/li>\n\n\n\n
- In the JumpCloud Attribute Name field, select user attributes from your JumpCloud directory. For example, addresses.region.<\/li>\n\n\n\n
- Repeat steps 1-2 for each additional attribute you want to map.<\/li>\n\n\n\n
- Click save.<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- To use dynamic attributes from the user or group record:\n
- \n
- In the Service Provide Attribute Name field, enter https:\/\/aws.amazon.com\/SAML\/Attributes\/AccessControl:AttributeName<\/kbd> replacing AttributeName with the name of the attribute you are expecting in AWS IAM Identity Center. For example, https:\/\/aws.amazon.com\/SAML\/Attributes\/AccessControl:CostCenter<\/kbd>. <\/li>\n\n\n\n
- In the JumpCloud Attribute Name field, select Custom User or Group Attribute.<\/li>\n\n\n\n
- Enter a name for the attribute. For example, AWS-ABAC-Project<\/strong>.<\/li>\n\n\n\n
- Repeat steps 1-3 for each additional attribute you want to map.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n\n\n\n
- Open the user or group record for which you to pass the value for the attribute you created.<\/li>\n\n\n\n
- In the Users or Group Details tab, go to the Custom Attributes section and click add new custom attributes.<\/li>\n\n\n\n
- Select string.<\/li>\n\n\n\n
- For Attribute Name, enter the name of one of the custom attributes that\u2019s listed on the AWS IAM Identity Center configuration. For example AWS-ABAC-Project.<\/li>\n\n\n\n
- For Attribute Value, enter the value you want to send for the attribute.<\/li>\n\n\n\n
- Repeat steps 1-5 for each additional attribute you want to map.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
To use ABAC in Permission Policies<\/strong><\/h3>\n\n\n\n
Once you have configured attributes for use with ABAC, you can create permission policies that use those attributes for controlling access to AWS resources, services, and actions.<\/p>\n\n\n\n
To apply a permission policy from the AWS IAM Identity Center console:<\/p>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center console.<\/li>\n\n\n\n
- Navigate to AWS Accounts > Permission Sets.<\/li>\n\n\n\n
- Select the permission to which you want to add a permission set.<\/li>\n\n\n\n
- Click Edit Permissions in the Permissions Policy.<\/li>\n\n\n\n
- Enter the json for the permission policy you want to add or update.<\/li>\n<\/ol>\n\n\n\n
For example, denying certain actions by Project or Region:<\/p>\n\n\n\n
\n{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Deny”,
“Action”: [
“iam:*”,
“organizations:DescribeAccount”,
“organizations:DescribeOrganization”,
“organizations:DescribeOrganizationalUnit”,
“organizations:DescribePolicy”,
“organizations:ListChildren”,
“organizations:ListParents”,
“organizations:ListPoliciesForTarget”,
“organizations:ListRoots”,
“organizations:ListPolicies”,
“organizations:ListTargetsForPolicy”
],
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“aws:PrincipalTag\/Project”: “Automation”
}
}
}
]
}
OR
{
“Sid”: “DenyAccessByRegion”,
“Effect”: “Deny”,
“NotAction”: [
“cloudfront:*”,
“iam:*”
],
“Resource”: “*”,
“Condition”: {
“StringNotEquals”: {
“aws:RequestedRegion”: “${aws:PrincipalTag\/Region}”
}
}
}<\/p>\n<\/div><\/div>\n\n\n\n- \n
- Click Save Policy<\/strong>.<\/li>\n\n\n\n
- *Optionally, select the accounts to which the permission has been applied, so the new or updated policy can be applied and click Reprovision<\/strong>. Otherwise, click Skip for now<\/strong>.<\/li>\n\n\n\n
- If you don\u2019t already have tags defined for your permission, click Add tags<\/strong> in the Tags section. Otherwise, click Edit Tags to add a new tag.<\/li>\n\n\n\n
- Add all the attributes you will be using in your Permissions Policy.\n
- \n
- For example, Project and Region.<\/li>\n\n\n\n
- *Optionally, enter a value for the Key.\n
- \n
- Note: Key is case sensitive and must exactly match the attribute you defined in Attributes for access control interface in the AWS IAM Identity Center console and in the SAML attributes you pass from JumpCloud.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click Save changes<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To update the AWS Token<\/strong><\/h3>\n\n\n\n
AWS Tokens are generated with a validity of one year. When your token is set to expire in 90 days or less, AWS sends you reminders in the IAM Identity Center console and over the AWS Health Dashboard. JumpCloud will not send you any notifications. Your SCIM access token should be rotated before it expires to continually secure automatic provisioning of user and group information.<\/p>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nEnsure you have deactivated the Identity Management integration<\/a> in JumpCloud before starting this section.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Log in to the IAM AWS administrator console<\/a> and click Go to<\/strong> Settings<\/strong>.<\/li>\n\n\n\n
- Go to Identity Source > Actions<\/strong> dropdown > Manage provisioning<\/strong>.<\/li>\n\n\n\n
- In the Access Token <\/strong>section, click Generate Token<\/strong>.<\/li>\n\n\n\n
- Click Show token<\/strong> and copy the token.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Warning:<\/strong> \n
The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the JumpCloud Password Manager<\/a>, for future reference.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- If it is not already open, log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO Applications<\/strong>.<\/li>\n\n\n\n
- Search for and select AWS IAM Identity Center<\/strong> from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the Identity Management<\/strong> tab.<\/li>\n\n\n\n
- In the Token Key<\/strong> field, paste the token generated above and click Activate<\/strong>.<\/li>\n\n\n\n
- Click Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Attribute Mappings<\/strong><\/h2>\n\n\n\n
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations<\/a> for more information regarding attribute mapping considerations. <\/p>\n\n\n\n
Learn about JumpCloud Properties and how they work with system users in our API<\/a>. <\/p>\n\n\n\n
\nAWS IAM Identity Center User Attributes<\/h3>\n
\n \n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n JumpCloud Property <\/th>\n \n JumpCloud UI <\/th>\n \n SCIM v2 Mapping <\/th>\n \n AWS IAM Identity Center Value <\/th>\n \n Notes <\/th>\n <\/tr>\n \n username <\/td>\n \n Username <\/td>\n \n userName <\/td>\n \n userName <\/td>\n \n <\/td>\n <\/tr>\n \n email <\/td>\n \n Company Email <\/td>\n \n emails.value <\/td>\n \n emails.value <\/td>\n \n <\/td>\n <\/tr>\n \n displayname <\/td>\n \n Display Name <\/td>\n \n displayName <\/td>\n \n displayName <\/td>\n \n <\/td>\n <\/tr>\n \n firstname <\/td>\n \n First Name <\/td>\n \n name.givenName <\/td>\n \n name.givenName <\/td>\n \n <\/td>\n <\/tr>\n \n lastname <\/td>\n \n Last Name <\/td>\n \n name.familyName <\/td>\n \n name,familyName <\/td>\n \n <\/td>\n <\/tr>\n \n user.state <\/td>\n \n User State <\/td>\n \n active <\/td>\n \n active <\/td>\n \n If User State is \"Active\", \"active\":true. \nIf User State is \"Suspended\", \"active\":false <\/td>\n <\/tr>\n \n job Title <\/td>\n \n Job Title <\/td>\n \n jobTitle <\/td>\n \n title <\/td>\n \n <\/td>\n <\/tr>\n \n - <\/td>\n \n - <\/td>\n \n locale <\/td>\n \n locale <\/td>\n \n Set to a constant value \"en-US\". <\/td>\n <\/tr>\n \n addresses.streetAddress <\/td>\n \n Work Street Address <\/td>\n \n addresses.streetAddress <\/td>\n \n addresses.streetAddress <\/td>\n \n <\/td>\n <\/tr>\n \n addresses.locality <\/td>\n \n Work City <\/td>\n \n addresses.locality <\/td>\n \n addresses.locality <\/td>\n \n <\/td>\n <\/tr>\n \n addresses.region <\/td>\n \n Work State <\/td>\n \n addresses.region <\/td>\n \n addresses.region <\/td>\n \n <\/td>\n <\/tr>\n \n addresses.postalCode <\/td>\n \n Work Postal Code <\/td>\n \n addresses.postalCode <\/td>\n \n addresses.postalCode <\/td>\n \n <\/td>\n <\/tr>\n \n addresses.country <\/td>\n \n Work Country <\/td>\n \n addresses.country <\/td>\n \n addresses.country <\/td>\n \n <\/td>\n <\/tr>\n \n phoneNumbers.value <\/td>\n \n Work Phone <\/td>\n \n phoneNumbers.value <\/td>\n \n phoneNumbers.value <\/td>\n \n <\/td>\n <\/tr>\n \n employeeIdentifier <\/td>\n \n Employee ID <\/td>\n \n employeeNumber <\/td>\n \n employeeNumber <\/td>\n \n <\/td>\n <\/tr>\n \n company <\/td>\n \n Company <\/td>\n \n organization <\/td>\n \n organization <\/td>\n \n <\/td>\n <\/tr>\n \n department <\/td>\n \n Department <\/td>\n \n department <\/td>\n \n department <\/td>\n \n <\/td>\n <\/tr>\n <\/table>\n<\/div><\/div>\n\n\n\n \nGroup Attributes<\/h3>\n
\n \n\n \n \n\n JumpCloud Property <\/th>\n \n JumpCloud UI Field Name <\/th>\n \n SCIM v2 Mapping <\/th>\n \n Application Value <\/th>\n <\/tr>\n \n name <\/td>\n \n Name <\/td>\n \n displayName <\/td>\n \n Name <\/td>\n <\/tr>\n <\/table>\n<\/div><\/div>\n\n\n\n Group Management Considerations<\/strong><\/h4>\n\n\n\n
Enabling Group Management<\/strong><\/h5>\n\n\n\n
You must select the Enable management of User Groups and Group Membership in this application<\/strong> option to manage groups and group membership in the application from JumpCloud.<\/p>\n\n\n\n
Group Provisioning and Syncing <\/strong><\/h5>\n\n\n\n
- \n
- Empty groups are not created<\/li>\n\n\n\n
- JumpCloud takes over management of existing groups in the application when the user group name in JumpCloud matches the name of the group in the application<\/li>\n\n\n\n
- All user groups associated with the application in JumpCloud are synced. Syncing occurs whenever there is a membership or group change event<\/li>\n\n\n\n
- Group renaming is supported<\/li>\n\n\n\n
- If a user group is disassociated from the application in JumpCloud, syncing immediately stops and the group is left as-is in the application. All members of that user group are deactivated in the application unless they are associated with another active application group that is managed from JumpCloud<\/li>\n<\/ul>\n\n\n\n
Group Deletion<\/strong><\/h5>\n\n\n\n
- \n
- Managed groups deleted in JumpCloud are deleted in the application<\/li>\n\n\n\n
- All members of the deleted group are deactivated in the application, unless they are associated with another active application group that is managed from JumpCloud<\/li>\n<\/ul>\n\n\n\n
Disabling Group Management<\/strong><\/h5>\n\n\n\n
- \n
- You can disable group and group membership management by unchecking the\u00a0Enable management of User Groups and Group Membership in this application<\/strong>\u00a0option<\/li>\n\n\n\n
- The managed groups and group membership are left as-is in the application<\/li>\n\n\n\n
- JumpCloud stops sending group membership information for the user, but the user\u2019s identity will continue to be managed from JumpCloud<\/li>\n<\/ul>\n\n\n\n
Removing the Integration<\/strong><\/h2>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nThese are steps for removing the integration in JumpCloud. Consult your SP’s documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To deactivate the IdM Integration<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Search for the application that you\u2019d like to deactivate and click to open its details panel. <\/li>\n\n\n\n
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection<\/strong> link.<\/li>\n\n\n\n
- Click confirm<\/strong>. <\/li>\n\n\n\n
- If successful, you will receive a confirmation message. <\/li>\n<\/ol>\n\n\n\n
To deactivate the SSO Integration<\/strong> or Bookmark<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Search for the application that you\u2019d like to deactivate and click to open its details panel. <\/li>\n\n\n\n
- Select the\u00a0SSO or Bookmark\u00a0<\/strong>tab.<\/li>\n\n\n\n
- Scroll to the bottom of the configuration.<\/li>\n\n\n\n
- Click Deactivate SSO<\/strong> or Deactivate Bookmark<\/strong>. <\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n\n\n\n
- If successful, you will receive a confirmation message.<\/li>\n<\/ol>\n\n\n\n
To delete<\/strong><\/strong> the application<\/strong><\/h3>\n\n\n\n
- Go\u00a0to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
- Optionally, if you want to force SP Initiated Authentication, in the Login URL<\/strong> field, replace the value with your Login URL. <\/li>\n<\/ol>\n\n\n\n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n