Skip to main content
Jaapi

Identity & SSO

JumpCloud + Jaapi

Connect JumpCloud to Jaapi for enterprise SSO and automated user provisioning. Employees sign in with their JumpCloud credentials, and SCIM 2.0 keeps the store's user list in sync as people join and leave.

Get a demo

Yes, Jaapi integrates with JumpCloud for both single sign-on and automated user provisioning. Employees sign in to the swag store with their existing JumpCloud credentials, and SCIM 2.0 keeps the store’s user list in sync — accounts are created on hire and deactivated on departure, with no manual invites. Setup is self-serve for your JumpCloud administrator.

How does the JumpCloud integration work?

Both halves live on a single application entry in JumpCloud. SSO uses a Custom SAML App: your admin adds it under SSO Applications with the store’s Entity ID and ACS URL, and JumpCloud’s metadata export makes the store-side setup copy-paste. Provisioning uses JumpCloud’s Identity Management feature on the same app: point it at the store’s SCIM base URL, paste a Bearer token from your store settings, and JumpCloud pushes user lifecycle events from then on.

Access follows JumpCloud’s group model. You bind the Jaapi app to one or more user groups, and both sign-in visibility and provisioning follow membership: joining the group creates a store account, leaving it deactivates one.

What syncs from JumpCloud to Jaapi?

  • Onboarding. Adding a user to a bound group creates their store account.
  • Profile updates. Name and email changes flow through automatically.
  • Offboarding. Removing a user from the group — or suspending them in JumpCloud — deactivates their store account, and unspent credit is reclaimed to an admin wallet.
  • Rehires. Users who return have their original account reactivated, history intact.

One JumpCloud-specific note: JumpCloud’s SCIM implementation matches users by email rather than sending an externalId, so keeping work emails consistent in your directory is what keeps the mapping stable. That’s the default in practice, and the sync validates every account against your allowed email domain anyway.

How do I set up JumpCloud SSO and provisioning?

  1. In your Jaapi store, go to Settings and generate a SCIM API token.
  2. In the JumpCloud Admin Portal, add a Custom SAML App under SSO Applications and configure it with your store’s Entity ID and ACS URL from the store’s SSO setup guide.
  3. On the same app, open the Identity Management (Provisioning) tab, enter the store’s SCIM base URL and the Bearer token from step 1, and run Test Connection. JumpCloud verifies the endpoint with a short create-update-delete cycle — use a throwaway test email that doesn’t already exist in the store, then click Activate.
  4. Bind the app to a user group. Start with a small pilot group, confirm those users appear in the store, then widen to everyone.

What about groups and roles?

Jaapi uses a flat access model — store user or admin — so JumpCloud groups control who is provisioned, not what role they get. Admin access is granted within Jaapi, and admin accounts are protected from deletion via SCIM. If you want HR attributes like department or start date to drive credit budgets and gifting, pair SSO with an HRIS sync — SCIM carries identity, not HR data.

Is the JumpCloud integration secure?

Yes. SSO removes store-specific passwords entirely, SCIM requests are authenticated with a store-scoped Bearer token over HTTPS, and new accounts are validated against your allowed email domain. Every provisioning action is audit-logged. Jaapi is ISO 27001:2022 certified with EU-hosted data.

Custom branded tumblers

Ready to send your global team swag they actually want?

Book a demo and we'll show you a store your team will actually be excited about. Quality branded items, made on demand, delivered locally. No warehouse, no customs drama.

Get a demo