JumpCloud (SAML)

JumpCloud ↗ provides SSO identity management. Cloudflare Access integrates with JumpCloud as a SAML identity provider.

The following steps are specific to setting up JumpCloud with Cloudflare Access. For more information on configuring JumpCloud SSO application, refer to the JumpCloud documentation ↗.

Set up Jumpcloud as a SAML provider

1. Create an SSO application in JumpCloud

1. In the JumpCloud Admin Portal ↗, go to SSO Applications.

2. Select Add New Application.

3. In the search bar, enter Cloudflare and select the Cloudflare Access application.

4. Select Next.

5. In Display Label, enter an application name.

6. Select Save Application.

7. Review the application summary and select Configure Application.

8. In the SSO tab, configure the following settings:

   1. In IdP Entity ID, enter your Cloudflare team domain:

      https://<your-team-name>.cloudflareaccess.com/

      You can find your team name in Zero Trust under Settings > Custom Pages.

   2. Set both SP Entity ID and ACS URL to the following callback URL:

      https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

   3. (Optional) Configure SAML attributes that you want to send to Cloudflare Access.

   4. Scroll up to JumpCloud Metadata and select Export Metadata. Save this XML file for use in a later step.

9. In the User Groups tab, assign user groups ↗ to this application.

10. Select Save.

2. Add JumpCloud to Zero Trust

1. In Zero Trust ↗, go to Settings > Authentication.

2. Under Login methods, select Add new.

3. Select SAML.

4. Upload your JumpCloud XML metadata file.

5. (Optional) To enable SCIM, refer to Synchronize users and groups.

6. (Optional) Under Optional configurations, configure additional SAML options.

7. Select Save.

You can now test your connection and create Access policies based on the configured login method and SAML attributes.

Synchronize users and groups

The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using SCIM.

1. Enable SCIM in Zero Trust

1. In Zero Trust ↗, go to Settings > Authentication.

2. Find the JumpCloud integration and select Edit.

3. Turn on Enable SCIM.

4. (Optional) Configure the following settings:

• Enable user deprovisioning: Revoke a user's active session when they are removed from the SCIM application in JumpCloud. This will invalidate all active Access sessions and prompt for reauthentication for any WARP session policies.
• Remove user seat on deprovision: Remove a user's seat from your Zero Trust account when they are removed from the SCIM application in JumpCloud.
• SCIM identity update behavior: Choose what happens in Zero Trust when the user's identity updates in JumpCloud.
  • Automatic identity updates: Automatically update the User Registry identity when JumpCloud sends an updated identity or group membership through SCIM. This identity is used for Gateway policies and WARP device profiles; Access will read the user's updated identity when they reauthenticate.
  • Group membership change reauthentication: Revoke a user's active session when their group membership changes in JumpCloud. This will invalidate all active Access sessions and prompt for reauthentication for any WARP session policies. Access will read the user's updated group membership when they reauthenticate.
  • No action: Update the user's identity the next time they reauthenticate to Access or WARP.

5. Select Save.

6. Copy the SCIM Endpoint and SCIM Secret. You will need to enter these values into JumpCloud.

The SCIM secret never expires, but you can manually regenerate the secret at any time.

2. Configure SCIM in JumpCloud

1. In the JumpCloud Admin Portal ↗, go to SSO Applications.
2. Select the Cloudflare application that was created when you Set up JumpCloud as a SAML provider.
3. Select the Identity Management tab.
4. Make sure that Enable management of User Groups and Group Membership in this application is turned on.
5. Select Configure.
6. In the Base URL field, enter the SCIM Endpoint obtained from Zero Trust.
7. In the Token Key field, enter the SCIM Secret obtained from Zero Trust.
8. Select Activate. You will receive a confirmation that the Identity Management integration has been successfully verified.
9. Select Save.

To check if a user's identity was updated in Zero Trust, view their User Registry identity.

Note

New users must first register the WARP client or authenticate to an Access application before SCIM provisioning can begin.

Provisioning attributes

Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:

JumpCloud user attribute	Cloudflare Access attribute
email	email
firstname	givenName
lastname	surname

JumpCloud group attribute	Cloudflare Access attribute
name	groups

Example API configuration

{
  "config": {
    "issuer_url": "jumpcloud",
    "sso_target_url": "https://sso.myexample.jumpcloud.com/saml2/cloudflareaccess",
    "attributes": ["email", "name", "username"],
    "email_attribute_name": "",
    "sign_request": false,
    "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o"
  },
  "type": "saml",
  "name": "jumpcloud saml example"
}

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!