cancel
Showing results for 
Search instead for 
Did you mean: 

Custom API integration enhancements | Importing user updates and deprovisioning

SamMorganJC
JumpCloud Employee
JumpCloud Employee

Hello JumpCloud Community! My name is Sam Morgan.  I am a Principal Product Manager on our Directory team here at JumpCloud.  My primary focus is our HR and Cloud Directory integrations.  Until just recently, my focus included all user provisioning integrations, integrations that provisioned users to and from JumpCloud. This is my first community post.  

We just released some exciting changes to our custom API integration capabilities.  IT Administrators can now keep user data, in JumpCloud, in sync with the user data in the application to which a custom API import integration has been created.  With the click of a button in the Admin Portal, or a single API call, an IT Administrator can import new active users, update existing user data, and deprovision (automatically suspend) users in JumpCloud based on the user data pulled from the source application. Previously, only new users could be imported.  

The Why: As an open directory platform, JumpCloud accepts user identities from anywhere.  We hear from IT Administrators that one of their biggest challenges is keeping those identities accurate throughout the user lifecycle (joiner, mover, leaver).  This is especially true now that more Small and Medium Enterprise (SME) organizations are adopting cloud-based solutions for people management and other HR functions.  

The purpose of the custom API import integration option is to provide IT Administrators with a more automated way to keep user data accurate, from their organization’s source of truth, if an integration with JumpCloud doesn’t already exist.  This source could be an HR solution, a compensation solution, another cloud directory, or any other application with a REST API.  

By keeping the user data accurate throughout the entire lifecycle, the IT Administrator can more effectively keep a user’s access and permissions right.  The outcomes are a more secure user identity, efficiencies for the IT (and HR), and a positive experience for the end user. 

Capability evolution: Getting to this point has been a journey.  

1H2022: 

  • First release of the custom API import integration capability which supported
  • API Key and Bearer Token for authentication
  • offset-based pagination
  • mapping the attributes from the source to specific fields in JumpCloud

2H2022: 

  • Support for OAuth 2.0 authorization code grant type
  • Ability to define the status attribute and the status(es) that should be considered inactive in the source application
  • New /applications/{application_id}/import/jobs endpoint which included the following functionality
    • If the inactive statuses are defined in the custom API integration configuration, only create new user in JumpCloud, if they have an “active” status in the source application
    • Update all mapped attributes that have changed in the source application in JumpCloud
    • If the inactive statuses are defined in the custom API integration configuration, automatically deprovisioning (suspension) users in JumpCloud when their status changed to status that was defined in the source application as part of the user data update logic

2023 Jan:

  • Enhanced custom API integration import flow in the Admin Portal to support importing new only users, importing updates to existing users, importing new users and updates to existing users, and the existing option to select the new users to import.  The update options include the same functionality provided by the /applications/{application_id}/import/jobs API endpoint.

SamMorganJC_0-1675343362954.png

Technical details:  To use the custom API import integration option, the source application must meet the following criteria:

  • Supports API Key, Bearer Token, or OAuth 2.0 authorization code grant type as the authentication method.
  • Supports offset pagination (limit/offset).
  • Accepts JSON requests and returns JSON responses.
  • Has an endpoint that lists all the employees or users and returns the full schema (not a list of ids or a single value).

Roadmap: We aren’t done yet.  There is more we intend to do with our custom API integration capability.

  • Scheduled imports - pull data from the source application on a regular recurring schedule.
  • Import job monitoring/observability - alerts on the homepage in the Admin portal for import job failures and pre-filtered views of Directory Insights user create, user update, user activation, and user suspension events related to the imports.
  • User export -  provisioning, updating, and deprovisioning users from JumpCloud to an application that has a REST API.  This functionality is intended to be used with applications but don’t support System for Cross-domain Identity Management (SCIM) or may require a certain tier of service to use SCIM.

Learn more: To learn more about our custom API integration capabilities, take a look at our support article, Import users from an external identity source using a custom API integration and our Create an import job API documentation.  We also have a blog post on this topic, JumpCloud Expands Open Integration Options to More Identity Sources.

To learn more about how this fits into Advanced Identity Lifecycle Management, join me for IT Hour on Friday, February 3rd. 

0 REPLIES 0