Automate identity lifecycle using JumpCloud Identity Management (IDM): pull users from an HRIS into JumpCloud, and push users to SaaS applications via SCIM.
JumpCloud plays two SCIM-related roles in these flows:
| Direction | JumpCloud role | Typical source / target |
|---|---|---|
| Inbound (HRIS import) | Identity hub — creates/updates system users | HRIS REST API → JumpCloud |
| Outbound (SCIM provision) | SCIM client — provisions bound users | JumpCloud → SaaS SCIM endpoint |
STAGED behavior: Users in STAGED state are created/updated in JumpCloud but are not provisioned to outbound SCIM applications until activated.
Prerequisites (Admin Portal)#
Complete these steps in the Admin Portal before calling the API endpoints in this guide.
| Task | Where |
|---|---|
| Connect an HRIS or custom REST identity source | Applications → Identity Management |
| Configure IDM translation rules | Applications → Identity Management → Translation rules |
| Enable outbound SCIM on a SaaS application | Applications → User Provisioning |
Support articles:
API reference#
| Operation | Method | Path | API docs |
|---|---|---|---|
| importusers | GET | /api/v2/applications/{applicationid}/import/users | List users to import |
| importcreate | POST | /api/v2/applications/{applicationid}/import/jobs | Create an import job |
| systemusersstateactivate | POST | /api/systemusers/{id}/state/activate | Activate system user (v1) |
| workdaysworkers | GET | /api/v2/workdays/{workdayid}/workers | List Workday workers |
| workdaysimport | POST | /api/v2/workdays/{workdayid}/import | Workday import |
| workdaysimportresults | GET | /api/v2/workdays/{id}/import/{jobid}/results | List import results |
| graphapplicationAssociationsPost | POST | /api/v2/applications/{applicationid}/associations | Manage application associations |
| graphapplicationTraverseUser | GET | /api/v2/applications/{applicationid}/users | List users bound to application |
| bulkuserStatesCreate | POST | /api/v2/bulk/userstates | Create scheduled user state job |
Workflow A: HRIS → JumpCloud (inbound import)#
Import employees from an HRIS or custom REST identity source into JumpCloud system users.
Workflow at a glance#
| Step | Action | API reference |
|---|---|---|
| 1 | List users available from HRIS (optional) | List users to import (v2) |
| 2 | Run import job | Create an import job (v2) |
| 3 | Activate staged users (if needed) | Activate system user (v1) |
Prebuilt Workday path: use List Workday workers and Workday import instead of Steps 1–2.
Step A1: List users from HRIS (optional)#
Overview
Fetch a paginated list of users from the connected HRIS before committing an import. Useful for selective import UIs or validating connectivity.
Requirements
| Item | Required |
|---|---|
| API key | Yes — scope: applications |
| Application ID | Yes — active custom protocol integration configured in Admin Portal |
Endpoint
Reference: Get a list of users to import from an Application IdM service provider
GET https://console.jumpcloud.com/api/v2/applications/{application_id}/import/users
Request
curl -X GET 'https://console.jumpcloud.com/api/v2/applications/{Application_ID}/import/users?limit=100' \
-H 'Accept: application/json' \
-H 'x-api-key: {API_KEY}'
Successful response
HTTP 200 — array of HRIS user records available for import.
Next steps
Run a full or filtered import job (Step A2).
Step A2: Create an import job#
Overview
Asynchronously import new users and/or update existing JumpCloud system users from the HRIS. Imported users receive creation-source: jumpcloud:scim (or connector-specific source). User state is determined by IDM translation rules configured in Admin Portal or by organization defaults.
Requirements
| Item | Required | Notes |
|---|---|---|
| API key | Yes | Scope: applications |
| Application ID | Yes | Active custom protocol integration |
| operations | Yes | For example "users.create", "users.update" |
| allowUserReactivation | Optional | Allow suspended users to be reactivated on update |
| queryString | Optional | Filter passed to HRIS API (connector-specific) |
Endpoint
Reference: Create an import job
POST https://console.jumpcloud.com/api/v2/applications/{application_id}/import/jobs
Request
curl -X POST https://console.jumpcloud.com/api/v2/applications/{Application_ID}/import/jobs \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: {API_KEY}' \
-d '{
"allowUserReactivation": true,
"operations": [
"users.create",
"users.update"
],
"queryString": "department=Engineering"
}'
Successful response
HTTP 200
{
"_id": "5be9fb4ddb01290001e85121"
}
The id is the import job ID.
Next steps
- Monitor import results in Directory Insights events or Admin Portal
- Bind imported users to outbound SCIM apps: Workflow B below
Step A3: Activate staged users (if needed)#
If imported users are in STAGED state, activate them before they can access resources or be provisioned to outbound SCIM applications.
Reference: systemusersstateactivate
POST https://console.jumpcloud.com/api/systemusers/{id}/state/activate
Schedule a future activation date with Create scheduled user state job when HRIS provides a future hire date.
Workday variant (prebuilt HRIS)#
Workday uses dedicated endpoints instead of the generic application import job.
| Step | Action | API reference |
|---|---|---|
| 1 | List workers from Workday report | List Workday workers |
| 2 | Import selected workers | Workday import |
| 3 | Poll import results | List import results |
Import request
curl -X POST https://console.jumpcloud.com/api/v2/workdays/{Workday_ID}/import \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: {API_KEY}' \
-d '[
{
"email": "jsmith@example.com",
"firstname": "Jane",
"lastname": "Smith",
"username": "jsmith",
"state": "STAGED",
"attributes": [
{ "name": "EmployeeID", "value": "1042" }
]
}
]'
Successful response
HTTP 201 — job ID object (same shape as bulk create).
Workflow B: JumpCloud → SaaS (outbound SCIM)#
Provision JumpCloud users to a SaaS application’s SCIM endpoint (Slack, GitHub, 1Password, etc.) when users are bound to the application and in ACTIVATED state.
Enable SCIM provisioning on the target application in Admin Portal → Applications → User Provisioning before running the API steps below. If the application does not exist yet, see SSO application setup.
Workflow at a glance#
| Step | Action | API reference |
|---|---|---|
| 1 | Bind users or groups to app | Manage application associations (v2) |
| 2 | Confirm bound users | List users bound to application (v2) |
Step B1: Bind users or groups for provisioning#
Overview
Only bound users are candidates for outbound SCIM. Group binding is recommended; members inherit access. Users must be ACTIVATED — STAGED users remain bound in JumpCloud but are skipped for SCIM export.
Requirements
| Item | Required |
|---|---|
| API key | Yes — scopes: associations.applications, associations |
| Application ID | Yes |
| User Group ID or User ID | Yes |
Endpoint
Reference: Manage the associations of an Application
POST https://console.jumpcloud.com/api/v2/applications/{application_id}/associations
Request (group binding — recommended)
curl -X POST https://console.jumpcloud.com/api/v2/applications/{Application_ID}/associations \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: {API_KEY}' \
-d '{
"op": "add",
"type": "user_group",
"id": "{Group_ID}"
}'
Request (individual user)
{ "op": "add", "type": "user", "id": "{User_ID}" }
Successful response
HTTP 204 — no response body.
Provisioning to the SaaS SCIM endpoint runs asynchronously after binding. ACTIVATED users are created/updated at the service provider; deprovisioning occurs when bindings are removed or the user is suspended/deleted.
Next steps
Confirm effective bindings with Step B2. To change or disable provisioning, use Admin Portal → Applications → User Provisioning.
Step B2: Confirm bound users#
Overview
List users currently bound to the application to verify provisioning scope.
Endpoint
Reference: List the Users bound to an Application
GET https://console.jumpcloud.com/api/v2/applications/{applicationid}/users
Request
curl -X GET 'https://console.jumpcloud.com/api/v2/applications/{Application_ID}/users?limit=100' \
-H 'Accept: application/json' \
-H 'x-api-key: {API_KEY}'
Successful response
HTTP 200 — array of bound user objects.
End-to-end: HRIS hire → SaaS access#
HRIS record (Pre-Hire)
→ Admin Portal: configure connector translation rules
→ Import job (Workflow A) → JumpCloud user (STAGED)
→ Assign groups
→ Activate user
→ Admin Portal: enable SCIM on target SaaS app
→ Bind users/groups (Workflow B) → SCIM provision to SaaS