Skip to main content

Use Case: User Provisioning with SCIM and HRIS

Automate identity lifecycle using JumpCloud Identity Management (IDM): pull users from an HRIS into JumpCloud, and push users to SaaS applications via SCIM.

JumpCloud plays two SCIM-related roles in these flows:

Direction JumpCloud role Typical source / target
Inbound (HRIS import) Identity hub — creates/updates system users HRIS REST API → JumpCloud
Outbound (SCIM provision) SCIM client — provisions bound users JumpCloud → SaaS SCIM endpoint

STAGED behavior: Users in STAGED state are created/updated in JumpCloud but are not provisioned to outbound SCIM applications until activated.


Prerequisites (Admin Portal)#

Complete these steps in the Admin Portal before calling the API endpoints in this guide.

Task Where
Connect an HRIS or custom REST identity source Applications → Identity Management
Configure IDM translation rules Applications → Identity Management → Translation rules
Enable outbound SCIM on a SaaS application Applications → User Provisioning

Support articles:


API reference#

Operation Method Path API docs
importusers GET /api/v2/applications/{applicationid}/import/users List users to import
importcreate POST /api/v2/applications/{applicationid}/import/jobs Create an import job
systemusersstateactivate POST /api/systemusers/{id}/state/activate Activate system user (v1)
workdaysworkers GET /api/v2/workdays/{workdayid}/workers List Workday workers
workdaysimport POST /api/v2/workdays/{workdayid}/import Workday import
workdaysimportresults GET /api/v2/workdays/{id}/import/{jobid}/results List import results
graphapplicationAssociationsPost POST /api/v2/applications/{applicationid}/associations Manage application associations
graphapplicationTraverseUser GET /api/v2/applications/{applicationid}/users List users bound to application
bulkuserStatesCreate POST /api/v2/bulk/userstates Create scheduled user state job

Workflow A: HRIS → JumpCloud (inbound import)#

Import employees from an HRIS or custom REST identity source into JumpCloud system users.

Workflow at a glance#

Step Action API reference
1 List users available from HRIS (optional) List users to import (v2)
2 Run import job Create an import job (v2)
3 Activate staged users (if needed) Activate system user (v1)

Prebuilt Workday path: use List Workday workers and Workday import instead of Steps 1–2.


Step A1: List users from HRIS (optional)#

Overview

Fetch a paginated list of users from the connected HRIS before committing an import. Useful for selective import UIs or validating connectivity.

Requirements

Item Required
API key Yes — scope: applications
Application ID Yes — active custom protocol integration configured in Admin Portal

Endpoint

Reference: Get a list of users to import from an Application IdM service provider

GET https://console.jumpcloud.com/api/v2/applications/{application_id}/import/users

Request

curl -X GET 'https://console.jumpcloud.com/api/v2/applications/{Application_ID}/import/users?limit=100' \
  -H 'Accept: application/json' \
  -H 'x-api-key: {API_KEY}'

Successful response

HTTP 200 — array of HRIS user records available for import.

Next steps

Run a full or filtered import job (Step A2).


Step A2: Create an import job#

Overview

Asynchronously import new users and/or update existing JumpCloud system users from the HRIS. Imported users receive creation-source: jumpcloud:scim (or connector-specific source). User state is determined by IDM translation rules configured in Admin Portal or by organization defaults.

Requirements

Item Required Notes
API key Yes Scope: applications
Application ID Yes Active custom protocol integration
operations Yes For example "users.create", "users.update"
allowUserReactivation Optional Allow suspended users to be reactivated on update
queryString Optional Filter passed to HRIS API (connector-specific)

Endpoint

Reference: Create an import job

POST https://console.jumpcloud.com/api/v2/applications/{application_id}/import/jobs

Request

curl -X POST https://console.jumpcloud.com/api/v2/applications/{Application_ID}/import/jobs \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: {API_KEY}' \
  -d '{
    "allowUserReactivation": true,
    "operations": [
      "users.create",
      "users.update"
    ],
    "queryString": "department=Engineering"
  }'

Successful response

HTTP 200

{
  "_id": "5be9fb4ddb01290001e85121"
}

The id is the import job ID.

Next steps

  • Monitor import results in Directory Insights events or Admin Portal
  • Bind imported users to outbound SCIM apps: Workflow B below

Step A3: Activate staged users (if needed)#

If imported users are in STAGED state, activate them before they can access resources or be provisioned to outbound SCIM applications.

Reference: systemusersstateactivate

POST https://console.jumpcloud.com/api/systemusers/{id}/state/activate

Schedule a future activation date with Create scheduled user state job when HRIS provides a future hire date.


Workday variant (prebuilt HRIS)#

Workday uses dedicated endpoints instead of the generic application import job.

Step Action API reference
1 List workers from Workday report List Workday workers
2 Import selected workers Workday import
3 Poll import results List import results

Import request

curl -X POST https://console.jumpcloud.com/api/v2/workdays/{Workday_ID}/import \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: {API_KEY}' \
  -d '[
    {
      "email": "jsmith@example.com",
      "firstname": "Jane",
      "lastname": "Smith",
      "username": "jsmith",
      "state": "STAGED",
      "attributes": [
        { "name": "EmployeeID", "value": "1042" }
      ]
    }
  ]'

Successful response

HTTP 201 — job ID object (same shape as bulk create).


Workflow B: JumpCloud → SaaS (outbound SCIM)#

Provision JumpCloud users to a SaaS application’s SCIM endpoint (Slack, GitHub, 1Password, etc.) when users are bound to the application and in ACTIVATED state.

Enable SCIM provisioning on the target application in Admin Portal → Applications → User Provisioning before running the API steps below. If the application does not exist yet, see SSO application setup.

Workflow at a glance#

Step Action API reference
1 Bind users or groups to app Manage application associations (v2)
2 Confirm bound users List users bound to application (v2)

Step B1: Bind users or groups for provisioning#

Overview

Only bound users are candidates for outbound SCIM. Group binding is recommended; members inherit access. Users must be ACTIVATED — STAGED users remain bound in JumpCloud but are skipped for SCIM export.

Requirements

Item Required
API key Yes — scopes: associations.applications, associations
Application ID Yes
User Group ID or User ID Yes

Endpoint

Reference: Manage the associations of an Application

POST https://console.jumpcloud.com/api/v2/applications/{application_id}/associations
curl -X POST https://console.jumpcloud.com/api/v2/applications/{Application_ID}/associations \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: {API_KEY}' \
  -d '{
    "op": "add",
    "type": "user_group",
    "id": "{Group_ID}"
  }'

Request (individual user)

{ "op": "add", "type": "user", "id": "{User_ID}" }

Successful response

HTTP 204 — no response body.

Provisioning to the SaaS SCIM endpoint runs asynchronously after binding. ACTIVATED users are created/updated at the service provider; deprovisioning occurs when bindings are removed or the user is suspended/deleted.

Next steps

Confirm effective bindings with Step B2. To change or disable provisioning, use Admin Portal → Applications → User Provisioning.


Step B2: Confirm bound users#

Overview

List users currently bound to the application to verify provisioning scope.

Endpoint

Reference: List the Users bound to an Application

GET https://console.jumpcloud.com/api/v2/applications/{applicationid}/users

Request

curl -X GET 'https://console.jumpcloud.com/api/v2/applications/{Application_ID}/users?limit=100' \
  -H 'Accept: application/json' \
  -H 'x-api-key: {API_KEY}'

Successful response

HTTP 200 — array of bound user objects.


End-to-end: HRIS hire → SaaS access#

HRIS record (Pre-Hire)
→ Admin Portal: configure connector translation rules
→ Import job (Workflow A) → JumpCloud user (STAGED)
→ Assign groups
→ Activate user
→ Admin Portal: enable SCIM on target SaaS app
→ Bind users/groups (Workflow B) → SCIM provision to SaaS