User Management with SCIM Integration

Introduction

Managing user identities and access can be a challenging task, especially as your organisation grows. To simplify this process, Jump Desktop now supports SCIM (System for Cross-domain Identity Management) integration. This feature enables seamless synchronisation of user data and team access groups between your Single Sign-On (SSO) provider and Jump Desktop.

When a user is assigned to the Jump Desktop app via your SSO provider, SCIM automatically pushes their details to Jump Desktop. If Domain Verification is enabled, no verification email is sent; users can directly sign in using SSO (auto redirect on user sign in page is only enabled with Domain Verification). Otherwise, an email will be sent to the user for email verification. Importantly, if a verified user with the pushed email already exists, their account will transition to being managed by the SCIM server. Note: User license will be charged once a user is added to the team, not when a user's jump desktop account is automatically provisioned.

This article provides a step-by-step guide to integrate SCIM with Jump Desktop, complete with screenshots and detailed instructions.

Additional topics:

Managing Access Groups using SCIM

FAQs related to SCIM integration

Pre-requisites for SCIM integration

• Single Sign On is configured for your team
• A Jump Desktop for Teams Enterprise subscription

Configuring SCIM

As a first step, you will have to Enable SCIM integration in Jump Desktop teams dashboard. The users and team access groups managed by SCIM cannot be altered in the Jump Desktop Teams Dashboard. The section on Access Groups shows what to expect for team access groups which are managed by SCIM. You have a choice to provision SCIM for your team using the following SSO providers: 

• Okta
• Microsoft Entra ID (previously Azure)
• OneLogin
• CyberArk

Enable SCIM integration in Jump Desktop teams dashboard

1. Visit https://app.jumpdesktop.com and log in as a SSO team administrator

2. Select the team with SSO configured on select Security.

3. Click Enable SCIM in the Team Single Sign On section.

4. In 'Safe Mode', a delete request from your SCIM server does not delete a user's account. Instead, the user's account is disabled in all teams and marked for deletion. Administrators can review accounts marked for deletion under 'Users' in the Teams menu. When 'Safe Mode' is turned off, delete requests from your SCIM server will remove the user's account from all teams and delete the account immediately. Note that changes made when 'Safe Mode' is off are permanent.

5. You will be presented with your SCIM connection details which you will need to configure SCIM provisioning with your SSO provider.

SCIM Provisioning with Okta

1. Go to https://login.okta.com/ and log in as an administrator.

2. After login, on the top right of the screen, click the Admin button.

3. On the Admin home page under Applications click Applications.

4. On the Applications screen, select the Jump Desktop application.

5. On the Jump Desktop application screen, you will need to enable SCIM provisioning under the General tab. Click the Edit link for App Settings.

6. Select SCIM provisioning and click Save.

7. This should add a Provisioning tab under the Jump Desktop application page.

8. Click on Integrations under the Provisioning tab.

9. Copy the Security Token and SCIM integration URL from the Jump Desktop portal as shown.

10. Fill in the details as shown above.

11. Click Test Connector Configuration. You should see a pop-up as shown above. Close the dialog and click Save.

12. Under the Provisioning tab click on To App on the left hand side and ensure that the following features are enabled:

• Create Users
• Update User Attributes
• Deactivate Users

If these features are not enabled, click Edit, enable the features and click the Save button.

SCIM provisioning has been successfully configured.

SCIM Provisioning with Microsoft Entra ID (previously Azure)

1. Visit https://portal.azure.com and sign-in as an administrator.

2. On the home screen click Azure Active Directory.

3. Click Enterprise applications on the left.

4. In the Enterprise applications screen select the Jump Desktop application under All applications.

5. On the next screen select the Provision User Accounts option.

6. Click Get Started and select from Automation (recommended) or Manual provisioning.

7. Under Admin Credentials enter Tenant URL and Secret Token from the Jump Desktop Portal as shown and click Test Connection.

8. If the connection is successful, click Save. Your SCIM provisioning has been successfully configured.

SCIM Provisioning with OneLogin

1. Log into OneLogin with an admin account and click on "Administration" on the top right

2. Under the "Applications" menu, select "Applications"

3. Click "Add App" in the top right corner

4. Search for "SCIM Provisioner" and select "SCIM Provisioner with SAML (SCIM v2 Core)

5. Give you application a name, add icons if desired, and click "Save"

6. On the next screen click "Configuration" in the left menu bar and fill in the details as shown from your Jump Desktop Portal. You can leave in the default value for 'SCIM JSON Template'.

7. After adding your SCIM base URL and SCIM Bearer Token, enable the API and then click the 'Save' button in the top right.

8. Next click on "Provisioning" in the left menu bar and enable make sure "Enable provisioning" is checked. You can leave in the default values for the other fields or change them as you like. Click the 'Save' button in the top right.

SCIM Provisioning with CyberArk

1. Log into your CyberArk admin portal

2. Under the "Apps and Widgets" menu, choose "Web Apps"

3. Choose the "Jump Desktop" SSO application you configured earlier.

4. Under the "Provisioning" menu items enter your SCIM URL and and Bearer Token.

Managing Team Access Groups with SCIM

Access Groups help organize your team's computers and let you quickly give users access to a group of computers. Jump Desktop access groups can be managed via SCIM groups. Here are key points to understanding how Jump Desktop Access Group syncing works through SCIM:

1. One-Way Sync: Access groups are synchronized one-way from the SSO provider to your Jump Desktop Team.

2. Modifying SCIM Managed Access Groups:

   • SSO provider website: All user modifications to groups must occur here. Adding computers in a Jump Desktop access group via SCIM is currently not supported.
   • Jump Desktop Dashboard: You can only add or remove computers and change Connect Settings for the access group from here. Any other modifications such a renaming, deleting or chaging users in the access group must happen on the SCIM side.

3. Identification: SCIM-managed Access Groups are marked with a badge in Jump Desktop. This badge aids in identifying which groups are managed through SCIM.

SCIM managed access groups will show the 'SCIM' badge:

You can only add or remove computers from SCIM managed access groups:

 

FAQs for SCIM integration

What happens if I disable SCIM integration in Jump Desktop teams dashboard?

When SCIM integration is disabled, your SCIM credentials are invalidated and all requests received  from your SSO provider will be rejected by the Jump Desktop SCIM server. Users provisioned prior to disabling SCIM will still exist in Jump and their status will be unchanged. If in the future you enable SCIM integration again, your SCIM server will query Jump Desktop using email addresses to see which users exist in Jump Desktop and then the SCIM server will resume managing the accounts it finds.

If you wish to disable all users and disable SCIM integration, you will need to remove all users from the Jump Desktop application in your SSO provider and once the synchronisation between Jump Desktop and your SCIM service is complete, then disable SCIM integration.