Integrate BambooHR with your JumpCloud account to seamlessly manage and onboard new employees by automatically importing and updating users and their attributes to JumpCloud. This helps limit manual overhead for HR and IT organizations, reduces input error and in combination with the Single Sign On (SSO) with BambooHR SAML connector, JumpCloud provides access to all employee resources through a single set of credentials.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO à la carte option
- A Full Admin account and BambooHR “advantage” package at minimum
- Your BambooHR tenant
- Review BambooHR's JumpCloud Integration article
Important Considerations
- Email BambooHR Support to enable the JumpCloud integration on your account
- Configuring JumpCloud SSO for BambooHR is recommended, but not required
- JumpCloud won’t manage or consume the BambooHR password. Setting up SSO with the BambooHR User Portal will let your Users access the Bamboo portal using their JumpCloud credentials
- JumpCloud managed users must have an email address that corresponds to an email address associated with a BambooHR account
 
- BambooHR will be the identity source once the SCIM integration is configured and serves as the “master” for user attributes. Once that identity is in JumpCloud, admins can manage access, authentication, and extend that identity to all JumpCloud managed resources
- The SCIM integration is managed by BambooHR. Please contact BambooHR Support for support
- The SCIM integration only sends employee records - user records not sent
- The SCIM integration is one-way - the employee identities are sent from BambooHR to JumpCloud
- Bamboo sends both active and inactive employee records. JumpCloud has logic implemented that will prevent inactive users being created in JumpCloud
- We strongly recommend setting Staged as the user default for Manual / Single User API in Settings > User Management > Default User State for User Creation in JumpCloud. Read Manage User States to learn more
- You can easily identify new users created by the integration
- You can assign resources without granting access before the user's start date
- You can control whether or not an email is sent to the user when they are activated
- You can activate the user by changing their user state
 
- When a user is created in BambooHR as an employee, they will automatically be created in JumpCloud on the next scheduled sync based on the settings for the JumpCloud app in BambooHR
- If a specific minute is selected from the minute dropdown, that will result in data being sent at that minute past the hour every hour. It does not result in a sync occurring in that minute time interval.  For example, selecting 5 for the minute will result in the data being sent to JumpCloud at 5 minutes past the hour every hour
- If you want to sync data more frequently than hourly, select the Every Day, Every Month, Every Hour, Every Minute options
 
- If you want to sync data more frequently than hourly, select the Every Day, Every Month, Every Hour, Every Minute options
- A user created by this integration will:
- Be created in the user state specified for Default User State for User Creation for Manual / Single User API
- Have a pending password status
- Need to establish and maintain their password within JumpCloud
 
- Users created in the Active user state won’t automatically be sent an activation email upon creation
- Updates to the user attributes specified in the settings for the JumpCloud app BambooHR will be synced to JumpCloud as long as the integration is active
- Group import isn’t supported
- An employee record in BambooHR must have a company email address for the information to be sent to JumpCloud
- When you delete a BambooHR managed user in JumpCloud, that user still exists and has a work email address in BambooHR, the user will be recreated in JumpCloud
- When you suspend a user in JumpCloud and the user is still active in BambooHR, the user state for that user will updated and set back to Active in JumpCloud
- When you add a user in JumpCloud, the user won’t be created in BambooHR
- When you do a manual sync from BambooHR to JumpCloud, a full sync is done, meaning all employee records, both active and inactive users are sent
- When you make any changes to the settings for the JumpCloud application in BambooHR, a full sync is done, meaning all employee records, both active and inactive users are sent
- There are other triggers that result in a full sync. Please contact BambooHR Support for more information
Attribute Considerations
- Any attributes that have been selected within BambooHR for export to JumpCloud will overwrite values existing in JumpCloud with each update that is triggered in BambooHR
- It's recommended to Enable read-only on the user’s portal profile page for all users in the Organization Settings to prevent users and administrators from updating attributes in JumpCloud
 
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- Optionally, customize the display label, description and how the application displays:
- Description - add a description that users will see in their user portal
- User Portal Image - choose Logo or Color Indicator
- Show in User Portal - enable this option for this to be visible in the user portal
 
- Optionally, customize the IdP URL:
- Expand Advanced Settings and enter the name you want to use for the end of the SSO IdP URL, https://sso.jumpcloud.com/saml2/{custom_value}
 
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section
- Close to configure your new application at a later time
 
Configuring the SSO Integration
Note: SSO is either on or off. There is not an option to allow users to either login with SSO or login with their BambooHR credentials.
To configure JumpCloud
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- In the ACS URL field, replace <YOURDOMAIN> with your account's registered BambooHR domain name.
- Add or change any additional attributes.
- Select save.
Download the certificate
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Click Actions > Download Certificate.
The certificate.pem will download to your local Downloads folder.
To configure BambooHR
- Log in to BambooHR as an administrator (This user's email should also be managed by JumpCloud).
- Select the Apps icon in the upper right.
- Scroll down to the Single Sign-On section, and select the SAML 2.0 icon.
- Select the Install button next to the SAML 2.0 icon.
- Enter the following information:
- SSO Login URL - enter the JumpCloud IDP URL.
- x.509 Certificate - copy and paste the contents of the certificate downloaded in the previous section.
 
- Optionally, select Allow optional email & password login.
The "allow optional email & password login" enables employees to log in through [OneLogin/Microsoft/SAML/etc] or type in their email and password. Please note that while this is an option, it's recommend to leave this unchecked as installing a single sign-on option will disable the 2-Step Login in BambooHR.
- Select Install.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Applications, Users List or User Groups page.
To authorize user access from the Application’s page
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the desired group of users to which you want to give access.
- Click Save.
To learn how to authorize user access from the Users or User Groups pages, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the JumpCloud User Console
- Go to Applications and click an application tile to launch it
- JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
Configuring the Identity Management Integration
To configure BambooHR 1
- Log in to your Bamboo administrator account.
- From the Home page, select the gear icon in the top right hand corner. This brings up your Settings page.
- Under your Account information, select Apps.
- On the next page, under Not Installed, scroll down to find JumpCloud, click Install.
- A JumpCloud Settings modal pops up, for the question: When would you like your data to be sent?* 
- The integration is set to send changes every minute by default. We recommend these settings for the most immediate sync. If you want a different schedule, you can customize the cadence that updates sync.
 
- For the next question: Which fields do you want to send to JumpCloud?* Determine which attributes you’d like to manage consistently in BambooHR and sync to JumpCloud.
- Keep this page open.
Note: BambooHR will effectively master selected attributes in JumpCloud.
To get your JumpCloud API Key
Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.
Once a new API key is generated, this revokes access to the current API key.
- Log in to the JumpCloud Admin Portal with the administrator account you want to use to generate the API key for this integration.
- Click your initials in the top right corner.
- Select My API Key.
- Click on Generate New API Key.
- Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.
This is the only time your API key will be visible to you. Store it somewhere safe, such as the JumpCloud Password Manager, so you can access it later.
To configure BambooHR 2
- Back on your BambooHR page, in the JumpCloud Settings modal, paste the JumpCloud API Key under Add JumpCloud provided API Key*
- Click Install. You will receive a notification that JumpCloud was successfully installed.
- Your integration is now established. If you go back to your JumpCloud Administrator console, go to USER MANAGEMENT > Users and refresh the page, you will see newly added users.
- If you set Staged as the default state, you can see a filtered view of just those users by clicking Staged option above the users list.
- If you set Active as the default state, you can filter the All or Active view to just users with a password pending password status.
 
Attribute Mappings
The following table lists attributes that BambooHR sends to JumpCloud. Any updates to the fields selected in the settings for the JumpCloud app will trigger an update to those values in JumpCloud with the exception of work extension.
| BambooHR Field | Direction | JumpCloud UI Field Name | Field Type | Notes | 
|---|---|---|---|---|
| Work Email | To | Company Email | Standard | Employee records will NOT sync to JumpCloud until a Work Email exists in BambooHR. This is a required field in JumpCloud. This field is used as the unique identifier for matching users in JumpCloud with employees in BambooHR. | 
| Work Email | To | Username | Standard | Defaults to first part of email address (everything before the @ symbol). This is a required field in JumpCloud. If a user already exists in JumpCloud with a matching email, the Username for that user will not be overwritten by BambooHR. | 
| Status | To | User State | Standard | An Inactive status in BambooHR will suspend access for that user in JumpCloud. | 
| First Name | To | First Name | Standard | |
| Last Name | To | Last Name | Standard | |
| Preferred Name OR First Name + Last Name | To | Display Name | Standard | Populated by Preferred Name and Last Name fields in BambooHR. If no Preferred Name value exists then First Name will be used. | 
| Middle Name | To | Middle Name | Optional | |
| Employee Number | To | Employee ID | Optional | |
| Job Title | To | Job Title | Optional | |
| Division | To | Company | Optional | |
| Department | To | Department | Optional | |
| Location | To | Location | Optional | |
| Location Country | To | Work Country | Optional | Location field must be selected in BambooHR App Settings in order to sync. | 
| Location Address Street 1 & Location Address Street 2 | To | Work Street Address | Optional | Location field must be selected in BambooHR App Settings in order to sync. | 
| Location City | To | Work City | Optional | Location field must be selected in BambooHR App Settings in order to sync. | 
| Location State | To | Work State | Optional | Location field must be selected in BambooHR App Settings in order to sync. | 
| Location ZIP/Postal Code | To | Work Postal Code | Optional | Location field must be selected in BambooHR App Settings in order to sync. | 
| Work Phone + Ext | To | Work Phone | Optional | |
| Home Phone | To | Home Phone | Optional | |
| Mobile Phone | To | Personal Cell | Option | |
| Address Street 1 & Location Address Street 2 | To | Home Street Address | Optional | |
| Address City | To | Home City | Optional | |
| Address State/Province | To | Home State | Optional | |
| Address ZIP/Postal Code | To | Home Postal Code | Optional | |
| Address Country | To | Home Country | Optional | 
Removing the Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration or Bookmark
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO or Bookmark tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO or Deactivate Bookmark.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.

 
                 
                     
             Subscribe to Help Center RSS Feed
Subscribe to Help Center RSS Feed




 In this Article
In this Article Learn More
Learn More