Go back to the web Sign In

JumpCloud SSO and SCIM Setup Guide

This guide walks you through configuring JumpCloud as your Identity Provider (IdP) for CRA Evidence single sign-on (SAML SSO) and automated user provisioning (SCIM).

Overview

JumpCloud is a cloud-based directory platform that provides identity and access management. This guide covers:

  • SAML 2.0 SSO: Authenticate users through JumpCloud
  • SCIM 2.0 Provisioning: Automatically create, update, and deactivate users

JumpCloud Free Tier

JumpCloud offers a free tier that includes:

  • 10 users and 10 devices
  • Full SSO (SAML) capabilities
  • SCIM provisioning support
  • MFA and conditional access

This makes JumpCloud an excellent choice for small teams or for testing enterprise SSO before committing to a larger IdP.

Prerequisites

Before starting, ensure you have:

  1. JumpCloud Account: Sign up at https://jumpcloud.com/signup
  2. JumpCloud Admin Access: You need admin privileges to create applications
  3. CRA Evidence Running: Your CRA Evidence instance must be accessible (e.g., https://app.craevidence.com or your self-hosted URL)
  4. CRA Evidence Organisation Admin: You need admin access to configure SSO settings

Part 1: SAML SSO Setup

Step 1: Get CRA Evidence SP Information

Before configuring JumpCloud, gather the Service Provider (SP) information from CRA Evidence:

  1. Log in to CRA Evidence as an organisation admin
  2. Go to Settings > Single Sign-On
  3. Note the following values:
Field Value
Entity ID (Issuer) https://app.craevidence.com
ACS URL https://app.craevidence.com/api/v1/saml/acs
Metadata URL https://app.craevidence.com/api/v1/saml/metadata

Note: Replace app.craevidence.com with your actual CRA Evidence domain if self-hosted.

Step 2: Create JumpCloud Custom SAML Application

  1. Log in to your JumpCloud Admin Console at https://console.jumpcloud.com
  2. Navigate to SSO in the left sidebar
  3. Click + Add New Application
  4. Click Custom SAML App at the bottom of the application list

Step 3: Configure General Settings

In the General Info tab:

Field Value
Display Label CRA Evidence
Description CRA Evidence - EU Cyber Resilience Act Compliance Platform
Logo Upload the CRA Evidence logo (optional)

Click Continue to proceed.

Step 4: Configure SSO Settings

In the SSO tab, configure the following:

IdP Entity ID Configuration

Field Value
IdP Entity ID Leave as auto-generated or set a custom value like jumpcloud-craevidence

SP Entity ID & ACS URL

Field Value
SP Entity ID https://app.craevidence.com
ACS URL https://app.craevidence.com/api/v1/saml/acs

SAMLSubject NameID

Field Value
SAMLSubject NameID email
NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Signing Settings

Field Recommended Value
Sign Assertion Enabled
Sign Response Enabled
Signature Algorithm RSA-SHA256

Login URL (Optional)

Field Value
Login URL https://app.craevidence.com/login
Default RelayState Leave blank

Step 5: Configure Attribute Mappings

In the SSO tab, scroll to User Attribute Mapping and add the following:

Service Provider Attribute JumpCloud Attribute
email email
firstName firstname
lastName lastname
displayName displayname

To add custom attributes:

  1. Click + Add Attribute
  2. Enter the Service Provider Attribute Name (left column)
  3. Select the corresponding JumpCloud Attribute (right column)

Step 6: Save and Get IdP Information

  1. Click Activate or Save to create the application
  2. After saving, go back to the application settings
  3. Click on the SSO tab
  4. Find and copy/download the following:
Item Where to Find
IdP Certificate Click Download certificate or copy the certificate text
IdP URL (SSO URL) Listed under "IDP URL" or "Single Sign-On URL"
IdP Entity ID Listed under "IdP Entity ID"

Alternatively, click Download metadata to get an XML file containing all IdP information.

Step 7: Configure CRA Evidence with JumpCloud IdP

  1. In CRA Evidence, go to Settings > Single Sign-On
  2. Click Add Identity Provider
  3. Fill in the form:
Field Value
Name JumpCloud (or your preferred name)
Vendor Generic SAML 2.0
Entity ID The "IdP Entity ID" from JumpCloud
SSO URL The "IDP URL" from JumpCloud
SLO URL Leave blank (optional)
X.509 Certificate Paste the certificate from JumpCloud

Provisioning Settings

Field Recommended Value
JIT Provisioning Enabled
Default Role Member
Update on Login Enabled
  1. Click Add Identity Provider

Step 8: Add and Verify SSO Domain

  1. In CRA Evidence SSO settings, go to Domains
  2. Click Add Domain
  3. Enter your email domain (e.g., company.com)
  4. Select the JumpCloud IdP you just created
  5. Click Add Domain

Verify Domain Ownership

  1. Add a DNS TXT record to your domain:

    • Host/Name: _craevidence-verification
    • Value: (the verification token shown in CRA Evidence)
    • TTL: 3600 (or your default)

  2. Wait for DNS propagation (can take up to 48 hours, usually much faster)

  3. Click Verify Now in CRA Evidence

Step 9: Assign Users to the Application in JumpCloud

  1. In JumpCloud Admin Console, go to SSO

  2. Click on your CRA Evidence application

  3. Go to the User Groups tab

  4. Click + Add User Groups and select groups that should have access

    OR

  5. Go to the Users tab

  6. Click + Add Users and select individual users

Step 10: Test SSO Flow

  1. Open a new incognito/private browser window
  2. Go to https://app.craevidence.com/login
  3. Enter an email address from your SSO domain (e.g., user@company.com)
  4. Click Continue - you should be redirected to JumpCloud
  5. Authenticate with your JumpCloud credentials
  6. After successful authentication, you should be redirected back to CRA Evidence and logged in

Part 2: SCIM Provisioning Setup

SCIM (System for Cross-domain Identity Management) enables automatic user lifecycle management. When you add or remove users in JumpCloud, they are automatically provisioned or deprovisioned in CRA Evidence.

Step 1: Enable Identity Management in JumpCloud

  1. In JumpCloud Admin Console, go to SSO
  2. Click on your CRA Evidence application
  3. Go to the Identity Management tab
  4. Enable SCIM provisioning

Step 2: Create SCIM Client in CRA Evidence

  1. In CRA Evidence, go to Settings > SCIM Provisioning
  2. Click Add SCIM Client
  3. Fill in the form:
Field Value
Name JumpCloud Provisioning
Description SCIM client for JumpCloud user provisioning
Default Role Member (or Viewer for read-only access)
Auto-activate users Enabled
Sync attributes Enabled
Allow deactivation Enabled
Allow deletion Disabled (recommended for safety)

  1. Click Create Client

  2. IMPORTANT: Copy the Bearer Token that is displayed. This token is shown only once and cannot be retrieved later.

    scim_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Step 3: Configure SCIM Settings in JumpCloud

  1. In JumpCloud, in the Identity Management tab of your CRA Evidence application
  2. Configure the SCIM connection:
Field Value
Base URL https://app.craevidence.com/scim/v2
Token Key Bearer scim_xxxxxxxxxxxxxxxxxxxxxxxxxxxx (the token from step 2)

Note: Include the word Bearer followed by a space before your token.

  1. Click Save or Test Connection

Step 4: Test SCIM API Connection

JumpCloud should show a success message if the connection is working. You can also verify manually:

  1. In JumpCloud, click Test Connection in the Identity Management settings
  2. JumpCloud will call the SCIM discovery endpoints:
    • GET /scim/v2/ServiceProviderConfig
    • GET /scim/v2/ResourceTypes
    • GET /scim/v2/Schemas

If the test fails:

  • Verify the Base URL is correct (no trailing slash)
  • Confirm the Bearer token is correct and includes the Bearer prefix
  • Check that the SCIM client is enabled in CRA Evidence

Step 5: Configure User Provisioning

In JumpCloud's Identity Management settings, configure:

Setting Recommended Value
Provision users Enabled
Deprovision users Enabled
Update user attributes Enabled

Attribute Mapping

Ensure the following mappings are configured:

JumpCloud Attribute SCIM Attribute
email userName
email emails[type eq "work"].value
firstname name.givenName
lastname name.familyName
displayname displayName

Step 6: Test User Sync

  1. In JumpCloud, assign a test user to the CRA Evidence application
  2. Wait a few moments for SCIM sync (usually immediate)
  3. In CRA Evidence, go to Settings > Users
  4. Verify the user was created with:
    • Correct email
    • Correct name
    • provisioned_via: scim flag

Part 3: User Groups (Optional)

JumpCloud supports group-based application assignment, which simplifies user management.

Create User Groups in JumpCloud

  1. In JumpCloud Admin Console, go to User Groups
  2. Click + Add Group
  3. Configure the group:
Field Example Value
Name CRA Evidence Users
Description Users with access to CRA Evidence
  1. Click Save

Add Users to Groups

  1. Go to User Groups and click on your group
  2. Go to the Users tab
  3. Click + Add Users and select users to add

Assign Groups to Application

  1. Go to SSO and click on your CRA Evidence application
  2. Go to the User Groups tab
  3. Click + Add User Groups
  4. Select the groups that should have access

Group-Based Provisioning

When using SCIM with groups:

  • Users added to assigned groups are automatically provisioned
  • Users removed from all assigned groups are automatically deprovisioned

Part 4: Testing Checklist

Use this checklist to verify your configuration:

SSO Login Flow

  • [ ] User can initiate login from CRA Evidence login page
  • [ ] Email domain is recognized and redirects to JumpCloud
  • [ ] JumpCloud authentication succeeds
  • [ ] User is redirected back to CRA Evidence dashboard
  • [ ] User session is created in CRA Evidence

JIT Provisioning (First-Time Login)

  • [ ] New user (not previously in CRA Evidence) can log in via SSO
  • [ ] User account is created in CRA Evidence
  • [ ] User has correct name and email
  • [ ] User has the default role (Member)
  • [ ] User appears in CRA Evidence user list

SCIM User Lifecycle

  • [ ] Creating a user in JumpCloud creates them in CRA Evidence
  • [ ] Updating user attributes in JumpCloud updates CRA Evidence
  • [ ] Deactivating a user in JumpCloud deactivates them in CRA Evidence
  • [ ] SCIM provisioning logs show operations in CRA Evidence

Group Management

  • [ ] Adding user to assigned group provisions them
  • [ ] Removing user from all groups deprovisions them

Part 5: Troubleshooting

SAML SSO Issues

"Invalid SAML Response" Error

Cause: Mismatch between CRA Evidence and JumpCloud configuration

Solutions:

  • Verify the ACS URL matches exactly: https://app.craevidence.com/api/v1/saml/acs
  • Check there are no trailing slashes
  • Ensure the certificate copied to CRA Evidence is complete (includes BEGIN/END lines)
  • Verify the certificate has not expired

"Domain Not Configured" Message

Cause: Email domain not linked to an IdP

Solutions:

  • Ensure the domain is added in CRA Evidence SSO settings
  • Verify the domain is verified (check DNS TXT record)
  • Confirm the domain spelling matches exactly (case-sensitive)

User Not Being Created on First Login

Cause: JIT provisioning not enabled or attribute mapping issue

Solutions:

  • Confirm JIT Provisioning is enabled for the IdP in CRA Evidence
  • Verify the email attribute is being sent in the SAML assertion
  • Check JumpCloud attribute mappings include email

"Clock Skew" or Timing Errors

Cause: Time difference between JumpCloud and CRA Evidence servers

Solutions:

  • Ensure your servers have synchronized time (NTP)
  • CRA Evidence allows up to 2 minutes of clock drift by default

SCIM Provisioning Issues

401 Unauthorized

Cause: Invalid or missing Bearer token

Solutions:

  • Verify the token in JumpCloud includes Bearer prefix (with space)
  • Confirm the token was copied correctly (no extra spaces)
  • Check the SCIM client is enabled in CRA Evidence
  • If token is lost, rotate it in CRA Evidence and update JumpCloud

429 Too Many Requests

Cause: Rate limit exceeded

Solutions:

  • Wait for the rate limit window to reset (1 hour)
  • For large initial syncs, contact CRA Evidence support to increase limit
  • Check provisioning logs for retry patterns

User Already Exists (409 Conflict)

Cause: User was previously created via different method

Solutions:

  • If user exists from SAML JIT, SCIM will link to existing account
  • Check external identity mappings in SCIM logs
  • Verify userName (email) matches existing user

User Not Being Provisioned

Cause: Configuration or assignment issue

Solutions:

  • Verify the user is assigned to the CRA Evidence application in JumpCloud
  • Check SCIM is enabled in JumpCloud Identity Management
  • Review provisioning logs in CRA Evidence (Settings > SCIM > Logs)
  • Ensure userName is a valid email address

Debug Mode

To enable detailed logging for troubleshooting:

  1. In CRA Evidence, set environment variable: SAML_DEBUG=true
  2. Check application logs for SAML request/response details
  3. In JumpCloud, check Directory Insights for provisioning events

Optional: SSO Enforcement

Once you have verified SSO is working correctly, you can require all users to authenticate via JumpCloud:

  1. In CRA Evidence, go to Settings > Single Sign-On > Enforcement
  2. Enable Require SSO for all users
  3. Optionally enable Allow admins to bypass SSO (for emergency access)
  4. Click Save Settings

Warning: Before enabling enforcement, ensure at least one admin can still log in via password (bypass) in case of IdP issues.

Support

If you encounter issues not covered in this guide:

  1. Check the SAML SSO Architecture documentation
  2. Check the SCIM Provisioning Architecture documentation
  3. Review JumpCloud's SAML documentation
  4. Contact CRA Evidence support at support@craevidence.com

When contacting support, provide:

  • Screenshot of error messages
  • JumpCloud application configuration (without secrets)
  • CRA Evidence IdP configuration (without certificate)
  • SCIM provisioning logs (if applicable)
Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?