JumpCloud SCIM Integration

swimlane turbine supports scim 2 0 integration with jumpcloud this integration enables administrators to automatically provision and de provision users via groups from jumpcloud to swimlane turbine using the scim standard scim helps customers manage onboarding and offboarding of users centrally in jumpcloud without logging in to swimlane turbine for manual user management users are managed in swimlane turbine through their membership in scim provisioned user groups groups are synced automatically through scim however, roles are not provisioned through scim and must be assigned manually to each group in swimlane turbine after roles are assigned, the group can be reused for ongoing provisioning how to configure jumpcloud scim to create and configure a scim application in jumpcloud for swimlane turbine sign in to the jumpcloud administrator console in the left navigation menu, hover over access , and click sso applications or, in the left navigation menu, under user authentication , click sso applications , if you are on an old user interface click + add new application select custom application , and then click next select the required application features select export users to this app click next enter the general application details, including display label description any additional required fields click save application click configure application configure the scim connection with the following values scim configuration true 200,461 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type click test connection upon connection successful prompt, click activate the created application is activated click save once the connection is successful, jumpcloud begins managing user groups and users in swimlane turbine through scim for detailed, step by step instructions on creating, configuring and managing a scim application in jumpcloud, see the https //jumpcloud com/support/provision and manage users and groups in apps using custom scim identity management integration#configuring a custom scim identity management connector field mapping jumpcloud sends user attributes via scim that must be mapped to swimlane’s user model swimlane requires the following mandatory fields email first name last name display name if any required attributes are missing, swimlane populates them automatically where possible jumpcloud scim attribute mapping true 242,247 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type no manual attribute mapping is required in jumpcloud swimlane uses the incoming email value as the unique user identifier if both username and emails are present, the email attribute is used for user creation and synchronization use cases user provisioning jumpcloud provisions users to swimlane only through scim provisioned user groups individual users cannot be provisioned directly both the user and the group must be in an active state in jumpcloud for the user to sync in the jumpcloud console, navigate to user groups assign users to user groups select one or more user groups that you want to provision to swimlane click save groups along with the users are now synced to swimlane turbine outcome in swimlane the selected groups are synced to swimlane turbine all users associated with those groups are configured in swimlane if a group already exists in swimlane new users are associated with the group new users are created if a group does not exist in swimlane the group is created automatically users are associated with the group group deselection if you deselect a user group in jumpcloud and save the group remains visible in swimlane users are removed from that group in swimlane if the deselected group is the user’s only scim provisioned group , the user is removed from swimlane turbine re adding the user to the same group re creates the user, but the group association is not automatically restored in swimlane group provisioning group synchronization outcome when a user group is created and assigned to the scim application in jumpcloud, the group is synced to swimlane turbine if the group does not already exist in swimlane, it is created automatically if the group already exists, swimlane updates the group membership without overwriting existing roles or permissions important role assignment is not managed through scim after a group is synced, roles must be assigned manually to the group within swimlane turbine user deprovisioning removing a user from a group removing a user from a group in jumpcloud affects the user’s group association in swimlane turbine when a user is removed from a scim provisioned group the user–group association is removed in swimlane the user remains active if they are still associated with another scim provisioned group if the removed group is the user’s only scim provisioned group the user is removed from swimlane turbine re adding the user re adding the user to the same group re creates the user in swimlane the group association is not automatically restored and may require a group re sync group deprovisioning deleting a user group deleting a user group in jumpcloud removes the group from swimlane turbine the group is deleted in swimlane all user–group associations are removed users are deleted in swimlane if they are part of the group? users are not deleted and remain in swimlane if they belong to other scim provisioned groups update groups re provisioning groups if a group is deleted in swimlane and later re provisioned from jumpcloud the group is recreated in swimlane turbine user associations are restored successfully disabling group management when enable management of user groups and group membership is disabled jumpcloud stops sending group and membership updates existing groups and memberships remain unchanged in swimlane user identities continue to be managed through scim group unmapping behavior if a group is unmapped from the scim application the group remains in swimlane users who belonged only to that group are removed from swimlane users who are members of other scim provisioned groups remain in swimlane further changes to the group in jumpcloud do not affect swimlane notes scim does not manage high privilege roles such as superadmin or account admin these roles must be assigned manually within swimlane role creation and modification are not supported through scim scim synchronization is one way jumpcloud → swimlane turbine users are managed based on scim provisioned groups only