JumpCloud
JumpCloud
JumpCloud: Single sign-on (SSO)
Configure JumpCloud SAML SSO so your users sign in with their existing JumpCloud credentials.
Configure Single Sign-On between JumpCloud and Atomicwork using SAML 2.0. Once complete, your users sign in to Atomicwork with their existing JumpCloud credentials — no separate password, with centralized access control through your JumpCloud directory.
Why use JumpCloud SAML SSO
Enabling JumpCloud SAML SSO offers:
- Single sign-on: Users log in with their JumpCloud credentials, removing the need for a separate Atomicwork password.
- Improved security: Authentication is handled by JumpCloud, so passwords stay inside your identity provider — Atomicwork never sees or stores them.
Before you begin
You need:
- A JumpCloud account with Administrator privileges.
- Org admin access on Atomicwork
[!NOTE] Only one SSO provider can be active at a time. If you already have another SSO provider enabled (Azure AD, Okta, Google, or another option), disable it first before enabling JumpCloud SSO.
Navigate to Settings > Security in your Atomicwork tenant in a second browser tab before you start. Atomicwork pre-populates two values — the SP Entity ID and the ACS URL — that you'll paste into JumpCloud.
[!NOTE] How the values flow
Atomicwork → JumpCloud: Copy the SP Entity ID and the ACS URL from the Atomicwork Security page into the JumpCloud custom SAML connector.
JumpCloud → Atomicwork: Copy the JumpCloud IdP metadata URL and paste it into the matching field in Atomicwork.
Set up JumpCloud SAML SSO
Step 1: Create a custom SAML application in JumpCloud
- Sign in to the JumpCloud Admin Portal.
- From the left navigation, open User Authentication > SSO Applications.
- Click + Add New Application, then choose Custom SAML Application.
- In the General Info tab, enter a display name (for example, "Atomicwork") and click Next.
Step 2: Enter the SP Entity ID and ACS URL
In Atomicwork, open Settings > Security > JumpCloud SSO. Atomicwork displays the SP Entity ID and the ACS URL — these are the values you'll paste into JumpCloud.
- In the JumpCloud SSO tab, paste the SP Entity ID from Atomicwork into the SP Entity ID field.
- Paste the ACS URL from Atomicwork into the ACS URL field. Leave this as the only ACS URL (index 0) — do not add a second one.
[!NOTE] Only one ACS URL is needed. Atomicwork uses JumpCloud's default (index 0) ACS URL for all sign-ins. Adding a second ACS URL won't be used and can cause confusion later.
Step 3: Configure assertion signing and NameID format
- Under SAMLSubject NameID, choose email.
- Set SAMLSubject NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. - Set Sign (or Signature) to Assertion. If JumpCloud only offers a combined option, choose Response & Assertion (also labeled Both in some JumpCloud versions).
[!NOTE] Required: sign the assertion. Atomicwork only accepts SAML assertions that are signed at the assertion level. If JumpCloud is configured to sign only the outer SAML Response (without signing the assertion inside it), the integration will fail at install time with an error asking you to set Sign = Assertion in JumpCloud.
Step 4: Confirm the attribute mappings
Under Attributes, add the following three mappings using the standard JumpCloud Basic attribute format:
| Service Provider Attribute Name | JumpCloud Attribute Name |
|---|---|
email | email |
firstName | firstname |
lastName | lastname |
Click Activate to save the application.
Step 5: Copy the JumpCloud IdP metadata URL
After activating the application, JumpCloud exposes an IdP metadata URL that contains its signing certificate, sign-in endpoints, and entity ID — everything Atomicwork needs to trust JumpCloud.
- Open the application you just created in JumpCloud.
- Under the SSO tab, locate JumpCloud Metadata URL (sometimes labeled IdP Metadata URL).
- Copy the URL — you'll paste it into Atomicwork in the next step.
Step 6: Paste the metadata URL into Atomicwork
- Switch back to the Atomicwork JumpCloud SSO page.
- Paste the JumpCloud Metadata URL into the JumpCloud SAML metadata URL field.
- Click Connect to activate SSO for your organization.
Atomicwork imports the metadata, validates that the signing certificate is present, and activates the integration. If validation fails, you'll see a specific error indicating what to fix in JumpCloud.
Step 7: Assign users in JumpCloud
- In JumpCloud, open the application you created and switch to the User Groups tab.
- Assign the user groups (or individual users) that should be able to sign in to Atomicwork.
Step 8: Test the sign-in
Open an incognito browser window and navigate to your Atomicwork workspace login page. Click Continue with SSO (or equivalent) and enter your work email. You should be redirected to JumpCloud, authenticate, and land back inside Atomicwork.
Troubleshooting
| Symptom | Cause | Resolution |
|---|---|---|
| Install fails with "set Sign = Assertion in JumpCloud" | JumpCloud is signing only the outer SAML Response, not the assertion itself. | In your JumpCloud SAML application, change the Sign setting to Assertion or Response & Assertion (Both). Save, then click Connect again in Atomicwork. |
| "Enable" button is disabled with a tooltip about an existing SSO provider | Another SSO provider (Azure AD, Okta, Google, etc.) is already active. Only one SSO can be enabled at a time. | Disable the existing SSO provider in Settings > Security first, then enable JumpCloud SSO. |
| "JumpCloud SSO is not enabled for this tenant" | JumpCloud SSO is not yet available on your Atomicwork workspace. | Contact Atomicwork support to enable JumpCloud SSO for your workspace. |
| "Invalid signature" or "Signature validation failed" after JumpCloud sign-in | The JumpCloud metadata URL was copied while a certificate change was in flight, or the signing certificate is missing from JumpCloud's metadata. | Re-copy the JumpCloud Metadata URL from your JumpCloud application and paste it again in Atomicwork. Confirm assertion signing is still enabled in JumpCloud. |
| Loop back to the sign-in page | A mismatched ACS URL — often a trailing space or the ACS URL was added at a non-zero index in JumpCloud. | Verify the ACS URL in JumpCloud matches the one shown in Atomicwork exactly. Make sure it's the only ACS URL configured. |
| Email or name missing in the user profile | The attribute mappings in JumpCloud are missing or use unexpected names. | In JumpCloud, open the application's Attributes tab and confirm the three mappings — email, firstName, and lastName — match what's shown in Step 4. |
| User can authenticate but can't access Atomicwork | The user isn't assigned to the JumpCloud SAML application. | In JumpCloud, open the application's User Groups tab and assign the user (or a group containing them). |
Related articles
If you also use JumpCloud for user provisioning and identity management, see JumpCloud: Overview and setup.
JumpCloud: Overview and setup
Automate user provisioning and identity management by integrating JumpCloud with Atomicwork.
The JumpCloud integration centralizes identity and access management, eliminating the manual work of provisioning users across disconnected systems.
You can automate user onboarding and offboarding, manage group memberships, and sync identity data directly from Atomicwork. This reduces provisioning delays, cuts down on access-related requests, and ensures employees get the right access at the right time without manual intervention.
Usecases
Connecting JumpCloud to Atomicwork unlocks several key capabilities for your IT and HR teams:
- Identity governance: Automate user provisioning and deprovisioning as part of your workflows.
- Group management: Add or remove users from user groups automatically during role changes.
- Account recovery: Unlock locked user accounts via self-service.
Permissions
To connect your Atomicwork and JumpCloud accounts, you need:
- Org admin access in Atomicwork
- A JumpCloud API key with read and write access to the following areas:
- System Users
- User Groups
- Directory Insights
| Permission | Purpose |
|---|---|
| View users | To sync user profiles and ensure workflows have access to the necessary user data. |
| Create users | To create new users automatically as part of workflows and journey actions. |
| Delete users | To remove users through workflows and journey actions. |
| Suspend users | To temporarily suspend user accounts through workflows and journey actions. |
| Deactivate users | To deactivate users through workflow and journey actions. |
| Activate users | To reactivate users who need to regain access to your JumpCloud applications. |
| Edit users' profile attributes | To update user attributes, ensuring the latest data is synced to Atomicwork and used in workflows. |
| Reset passwords | To support resetting passwords as part of skills. |
| MFA resets | To allow resetting multi-factor authentication as part of workflows. |
| Manage API tokens | To create an API token that will be shared with Atomicwork for setting up the integration. |
| View API tokens | To view and access the API token shared with Atomicwork. |
| View groups | To retrieve the list of groups and associated information for workflow actions and skills. |
| Manage group membership | To add or remove users from groups through workflows and journey actions. |
| Create groups | To create groups through workflows and journey actions. |
| Manage applications | To view application details and client credentials, and to assign users to applications based on their group membership or direct assignment. |
| View roles | To ensure workflows have visibility into user roles for proper access control and auditing. |
| View admin assignments | To verify administrators who are responsible for specific roles, ensuring proper workflow execution. |
Setup
[!NOTE] Your JumpCloud API key is required to authorize the integration. This key is sent securely in every request to authenticate your workspace.
- Generate a new JumpCloud API key:
- Log in to the JumpCloud Admin Portal and click on your account initials in the bottom-left or top-right
- Click on My API Key > Generate New API Key
- Copy and securely store the API key
- In your Atomicwork account, navigate to Settings > App store > JumpCloud.
- Enter your API key and click on Test to test the connection.
- Click on Connect to activate the integration
Supported workflow actions
Once connected, you can automate the following JumpCloud actions within your Atomicwork workflows:
| Action | Description |
|---|---|
| Get system user | Retrieve a specific system user by their ID. |
| List users | List all system users. |
| Create user | Create a new system user in JumpCloud. |
| Update user | Update an existing system user's profile. |
| Delete user | Delete a system user account. |
| Unlock user | Unlock a locked user account. |
| Suspend user | Temporarily suspend a user account. |
| Deactivate user | Deactivate a user account entirely. |
| Add user to group | Assign a user to a specific user group. |
| Remove user from group | Remove a user from a specific user group. |
| Get last logged event | Query user events from Directory Insights. |
| Call API | Make a generic API call to any JumpCloud endpoint |
Troubleshoot common issues
If you encounter issues while setting up or using the JumpCloud integration, review the following common errors:
| Error message | Cause | Resolution |
|---|---|---|
| api_key is null | The integration configuration is missing the API key. | Re-enter your API key in the integration settings. |
| 401 or 403 errors | Your API key lacks the required permissions or has been revoked. | Generate a new key with the correct permissions in the JumpCloud Admin Console. |
| JumpCloud client error JumpCloud server error | The API call to JumpCloud encountered an error response. | Check the JumpCloud API status page to ensure their services are operational. |
