SAML: Configuring JumpCloud

This guide walks you through configuring JumpCloud as a SAML SSO identity provider (IdP) for Pulumi Cloud.

Creating the JumpCloud application

1. Sign in to the JumpCloud Admin Portal.
2. Navigate to Access > SSO Applications.
3. Select + Add New Application.
4. Search for Pulumi to use the pre-built connector, or select Custom Application if a pre-built connector is not available, then select Next.
5. On the Select Options page, choose the applicable options and select Next.
6. On the Enter General Info page, enter a display name (for example, Pulumi Cloud), an optional description, and a user portal image. See Pulumi Logos for official artwork.
7. Optionally expand Advanced Settings to set a custom value for the IdP URL endpoint. JumpCloud uses this to construct your SSO IdP URL in the format https://sso.jumpcloud.com/saml2/<custom_value>.

The SSO IdP URL cannot be changed after the application is created. Choose the custom value carefully.

1. Select Save Application, then Configure Application.

Configuring the JumpCloud application

After saving the application, JumpCloud opens the application configuration panel. Select the SSO tab and fill in the SAML settings.

When you are done, select Save.

Assigning users to the application

Assign users to the JumpCloud application before they can sign in with SSO.

1. From the application configuration panel, select the User Groups tab.
2. Check the box next to each user group you want to grant access.
3. Select Save.

Exporting the JumpCloud metadata file

Pulumi requires the IdP metadata XML from JumpCloud to complete SSO configuration.

1. From the SSO tab of the application, select Export Metadata to download the metadata XML file.

   Alternatively, navigate to Access > SSO Applications, check the box next to your Pulumi application in the Configured Applications list, and select Export Metadata in the top-right corner.

2. Save the downloaded JumpCloud-<applicationname>-metadata.xml file; you will need it in the next step.

Configuring your Pulumi organization

1. Sign in to Pulumi Cloud and navigate to your organization.
2. Select the Settings tab, then Access Management.
3. Under Membership Requirements, select Change requirements.
4. Select SAML SSO and select Next.
5. Paste the contents of the JumpCloud metadata XML file into the Identity Provider Metadata field.
6. Select Apply changes.

Signing in with JumpCloud

Once SAML SSO is configured, members of your Pulumi organization can sign in using either of the following methods:

• IdP-initiated: Select the Pulumi tile in the JumpCloud User Console. JumpCloud authenticates the user and redirects them to Pulumi Cloud automatically.
• SP-initiated: Navigate to https://app.pulumi.com/signin/sso/, enter your Pulumi organization name, and you will be redirected to JumpCloud to authenticate.

Optional: automated user provisioning with SCIM

JumpCloud supports SCIM 2.0, which can automatically provision, update, and deprovision users and groups in Pulumi Cloud based on JumpCloud directory state. SAML SSO must be fully configured before enabling SCIM.

To retrieve the SCIM token from Pulumi Cloud:

1. Navigate to your organization in Pulumi Cloud.
2. Select the Settings tab, then SAML SSO.
3. Scroll to the SCIM section and generate a new token. Copy it immediately—it is only shown once.

When configuring SCIM in JumpCloud, use the following values:

For full SCIM configuration steps on the JumpCloud side, refer to JumpCloud’s Integrate with Pulumi support article. For Pulumi’s SCIM provisioning documentation, see SCIM.

Troubleshooting

If you encounter issues with your JumpCloud SAML configuration, refer to the SAML troubleshooting guide for common error patterns and remediation steps.