Skip to main content

Configure SCIM Integration to Sync JumpCloud Users and Groups into VaultOne

Updated over 2 weeks ago

Overview

This guide explains how to configure a SCIM 2.0 integration that synchronizes selected users and groups from JumpCloud into VaultOne. JumpCloud acts as the source of truth, and VaultOne receives user and group data for the specific groups and/or users you choose to sync.

Use this integration to:

  • Centrally manage identities in JumpCloud and automatically reflect changes in VaultOne.

  • Control access by syncing only specific groups or users (selective provisioning).

  • Improve security and compliance through automated lifecycle management (provision, update, deprovision).

Before You Begin

  • Access to the JumpCloud Admin Portal with permissions to configure provisioning.

  • A VaultOne account with Administrator permissions.

  • Your VaultOne SCIM Base URL: https://YOUR-TENANT-NAME.api.vault.jumpcloud.com/v2

  • A defined list of JumpCloud users and/or groups you want to sync into VaultOne.

Important: JumpCloud is the system that pushes user and group information to VaultOne. If you are waiting for a sync event, such as users being assigned to their respective groups, it’s important to confirm with JumpCloud at what interval these updates are sent to the SCIM integration.

Step 1 — Create a custom SAML application in JumpCloud

  1. Sign in to the JumpCloud Admin Portal.

  2. Go to Applications > SSO Applications.

  3. Click + Add New Application.

  4. Choose Custom Application and click Next.

  5. On Select Options:

    • Check Manage Single Sign-On (SSO).

    • Select Configure SSO with SAML.

Note: SSO is optional for pure SCIM provisioning, but starting with a Custom Application here sets up the container we’ll use to enable SCIM export in Step 2.

Step 2 — Customize the application

  1. On Enter general info, set:

    • Display Label: VaultOne SCIM (or PAM VaultOne SCIM).

    • Description (Optional): (e.g., “SCIM provisioning from JumpCloud to VaultOne”).

    • User Portal Image (Optional): upload the VaultOne logo if desired.

  2. Under Show in User Portal, clear the checkbox Show this application in User Portal.

    • Why: This app is used for provisioning and should not appear to end users.

  3. Keep Advanced Settings at their defaults and click Next.

4. Click on Configure Application.

Step 3 — Generate a VaultOne Integration Token for SCIM

  1. Sign in to VaultOne with an Administrator account.

  2. Go to Administration > Integration Tokens.

  3. Click Create Integration Token.

  4. Name the token (e.g., “JumpCloud SCIM Integration”).

  5. Expiration date: leave unset (not required).

  6. Click Save.

Copy the token that is displayed. It will only be shown once. Store it securely, this token will authenticate JumpCloud to VaultOne’s SCIM API.

Keep handy:

Step 4 — Configure SCIM in JumpCloud (Identity Management)

  1. Open the custom application you created and go to the Identity Management tab.

  2. In Configuration Settings, set:

    • API Type: SCIM API

    • SCIM Version: SCIM 2.0

    • Base URL: https://YOUR-TENANT-NAME.api.vault.jumpcloud.com/v2

      • Replace YOUR-TENANT-NAME with your actual tenant name (see the example in the screenshot).

    • Token Key: paste the Integration Token you generated in VaultOne (Administration > Integration Tokens).

    • Test User Email: enter a new, unused email address (for example, [email protected]). JumpCloud will try to create this user in VaultOne to validate the connection.

  3. Click Test Connection.

Expected: The test succeeds and the Activate button becomes available. If the test fails, recheck the Base URL, token value, and tenant name.

Step 5 — Enable group management and map required attributes

  1. In Identity Management, under Group Management, check:

    • Enable management of User Groups and Group Membership in this application.

  2. In Attribute Mapping, include the following:

    • Keep the default: Password → Password

    • Add/include these four mappings:

      • Name.GivenName → First Name

      • Name.FamilyName → Last Name

      • UserName → Username

      • Emails.Value → Company Email

    Make sure each mapping is set to “include” (not “exclude”).

  3. Click Activate.

Expected confirmation:

  • Identity Management integration has been successfully verified.

Step 6 — Select user groups to provision to VaultOne

  1. In the same custom application, open the User Groups tab.

  2. Select the JumpCloud groups you want to sync to VaultOne.

    • Tip: Use search and pagination to find groups.

    • Optional: Check “Show bound User Groups” to review what’s already selected.

  3. Click Save.

What happens next?

  • JumpCloud creates the selected groups in VaultOne (if they don’t exist) and provisions all members of those groups via SCIM.

  • Ongoing changes in JumpCloud (add/remove users from those groups, profile updates) are automatically reflected in VaultOne.

  • To stop syncing a group, unselect it and Save; affected users may be deprovisioned in VaultOne per your deprovisioning settings.


You’re all set.

Related Articles
Adding SSO authentication via Microsoft Active Directory (AD or Entra)
Setting Up JumpCloud SSO for VaultOne PAM
Did this answer your question?