JumpCloud (SAML)
JumpCloud ↗ provides SSO identity management. Cloudflare Access integrates with JumpCloud as a SAML identity provider.
The following steps are specific to setting up JumpCloud with Cloudflare Access. For more information on configuring JumpCloud SSO application, refer to the JumpCloud documentation ↗.
-
In the JumpCloud Admin Portal ↗, go to SSO Applications.
-
Select Add New Application.
-
In the search bar, enter
Cloudflare
and select the Cloudflare Access application. -
Select Next.
-
In Display Label, enter an application name.
-
Select Save Application.
-
Review the application summary and select Configure Application.
-
In the SSO tab, configure the following settings:
-
In IdP Entity ID, enter your Cloudflare team domain:
You can find your team name in Zero Trust under Settings > Custom Pages.
-
Set both SP Entity ID and ACS URL to the following callback URL:
-
(Optional) Configure SAML attributes that you want to send to Cloudflare Access.
-
Scroll up to JumpCloud Metadata and select Export Metadata. Save this XML file for use in a later step.
-
-
In the User Groups tab, assign user groups ↗ to this application.
-
Select Save.
-
In Zero Trust ↗, go to Settings > Authentication.
-
Under Login methods, select Add new.
-
Select SAML.
-
Upload your JumpCloud XML metadata file.
-
(Optional) To enable SCIM, refer to Synchronize users and groups.
-
(Optional) Under Optional configurations, configure additional SAML options.
-
Select Save.
You can now test your connection and create Access policies based on the configured login method and SAML attributes.
The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using SCIM.
-
In Zero Trust ↗, go to Settings > Authentication.
-
Find the JumpCloud integration and select Edit.
-
Turn on Enable SCIM.
-
(Optional) Configure the following settings:
- Enable user deprovisioning: Revoke a user's active session when they are removed from the SCIM application in JumpCloud. This will invalidate all active Access sessions and prompt for reauthentication for any WARP session policies.
- Remove user seat on deprovision: Remove a user's seat from your Zero Trust account when they are removed from the SCIM application in JumpCloud.
- SCIM identity update behavior: Choose what happens in Zero Trust when the user's identity updates in JumpCloud.
- Automatic identity updates: Automatically update the User Registry identity when JumpCloud sends an updated identity or group membership through SCIM. This identity is used for Gateway policies and WARP device profiles; Access will read the user's updated identity when they reauthenticate.
- Group membership change reauthentication: Revoke a user's active session when their group membership changes in JumpCloud. This will invalidate all active Access sessions and prompt for reauthentication for any WARP session policies. Access will read the user's updated group membership when they reauthenticate.
- No action: Update the user's identity the next time they reauthenticate to Access or WARP.
-
Select Save.
-
Copy the SCIM Endpoint and SCIM Secret. You will need to enter these values into JumpCloud.
The SCIM secret never expires, but you can manually regenerate the secret at any time.
- In the JumpCloud Admin Portal ↗, go to SSO Applications.
- Select the Cloudflare application that was created when you Set up JumpCloud as a SAML provider.
- Select the SSO tab.
- To provision user groups, select Include group attribute and enter
groups
. The group attribute name has to exactly matchgroups
or else it will be sent as a SAML attribute. - Select the Identity Management tab.
- Make sure that Enable management of User Groups and Group Membership in this application is turned on.
- Select Configure.
- In the Base URL field, enter the SCIM Endpoint obtained from Zero Trust.
- In the Token Key field, enter the SCIM Secret obtained from Zero Trust.
- Select Activate. You will receive a confirmation that the Identity Management integration has been successfully verified.
- Select Save.
To check if a user's identity was updated in Zero Trust, view their User Registry identity.
Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
JumpCloud user attribute | Cloudflare Access attribute |
---|---|
email | email |
firstname | givenName |
lastname | surname |
JumpCloud group attribute | Cloudflare Access attribute |
---|---|
name | groups |