Skip to content

Integrate JumpCloud SSO

Administrators only

Connect JumpCloud with Tallyfy using SAML-based SSO for automatic user login and account creation. Setup takes about 30 minutes.

  • JumpCloud administrator account
  • JumpCloud SSO Package or higher (or SSO add-on)
  • A Tallyfy administrator account on any paid plan
  • The Tallyfy SP values from the SSO wizard (shown when you pick JumpCloud)
  1. Create a custom SAML application in JumpCloud
  2. Configure service provider settings and attribute mappings
  3. Paste the JumpCloud metadata into the Tallyfy SSO wizard, test, and enable

Phase 1 - Create JumpCloud SAML application

Section titled “Phase 1 - Create JumpCloud SAML application”
  1. Sign in to the JumpCloud Admin Portal

  2. Go to Access from the main menu

  3. Select SSO Applications

  4. Click the + button to add a new application

    JumpCloud SSO applications page with add button

  5. Click Custom SAML App

    Selecting Custom SAML App option in JumpCloud

  1. Select the General Info tab

  2. Enter “Tallyfy” as the Display Label

  3. Optionally add a description and upload the Tallyfy logo

  4. Click Save

    JumpCloud General Info tab with Tallyfy display label

Tallyfy’s service provider configuration tells JumpCloud where to send authentication data. You’ll find these values in the Tallyfy SSO wizard.

  1. In Tallyfy, go to Settings > Organization > Security > SSO
  2. Start a new connection and pick JumpCloud (or generic SAML) as the provider
  3. Copy the two SP values shown on the first step:
    • SP ACS URL (Assertion Consumer Service URL)
    • SP Entity ID (Service Provider Entity ID)

Step 2 - Enter service provider details in JumpCloud

Section titled “Step 2 - Enter service provider details in JumpCloud”
  1. In your JumpCloud SAML application, select the SSO tab

  2. IDP Entity ID - auto-generated by JumpCloud, leave as is

  3. IDP URL - auto-generated by JumpCloud, leave as is

  4. SP Entity ID - enter the value from Tallyfy’s “SP Entity ID” field

  5. ACS URL - enter the value from Tallyfy’s “SP ACS URL” field

    JumpCloud SSO tab with service provider configuration fields

  6. SAMLSubject NameID - select email from the dropdown

  7. SAMLSubject NameID Format - select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  8. Keep Sign Assertion checked (default)

  9. Leave Default RelayState empty unless Tallyfy Support says otherwise

JumpCloud needs to know which user info to send to Tallyfy. Add these three attributes:

  1. Scroll to the User Attribute Mapping section

  2. Click add attribute and configure the email attribute:

    • Service Provider Attribute Name: email
    • JumpCloud Attribute Name: Select email
  3. Click add attribute again for the first name:

    • Service Provider Attribute Name: FirstName
    • JumpCloud Attribute Name: Select firstname
  4. Click add attribute one more time for the last name:

    • Service Provider Attribute Name: LastName
    • JumpCloud Attribute Name: Select lastname

    JumpCloud user attribute mapping configuration

  5. Click Save

These names are case-sensitive. Your mappings should look like this:

Service Provider AttributeJumpCloud Attribute
emailemail
FirstNamefirstname
LastNamelastname

Phase 3 - Configure Tallyfy with JumpCloud info

Section titled “Phase 3 - Configure Tallyfy with JumpCloud info”
  1. In your JumpCloud SAML application, stay on the SSO tab

  2. Find the IDP Certificate Valid section

  3. Note these three values (you’ll paste them into Tallyfy):

    • IDP Entity ID
    • IDP URL (Single Sign-On URL)
    • IDP Certificate (X.509 Certificate)

    JumpCloud IDP certificate and metadata section

  4. Easier option: click export metadata at the bottom of the SSO tab and save the XML file. You can paste this whole file into the Tallyfy wizard instead of the individual values.

Step 2 - Paste the metadata into Tallyfy and test

Section titled “Step 2 - Paste the metadata into Tallyfy and test”

Back in the Tallyfy SSO wizard (Settings > Organization > Security > SSO):

  1. Move to the Enter IdP details step
  2. Choose how to provide JumpCloud’s metadata:
    • XML paste - paste the exported metadata file (easiest)
    • Manual entry - enter the IDP URL, IDP Entity ID, and X.509 Certificate
  3. Run the Test connection step. Fix any errors it reports before moving on.
  4. Once the test passes, enable the connection

JumpCloud doesn’t publish a fetchable metadata URL per app, so use XML paste or manual entry here.

  1. In JumpCloud, go to the User Groups tab in your Tallyfy application

  2. Select the user groups or individual users who should access Tallyfy

  3. Click Save

  4. Toggle the application to Active

    JumpCloud application activation toggle and user assignment

Once everything’s configured:

  1. Get your org’s SSO login URL from the SSO wizard in Tallyfy (it’s shown next to the connection)
  2. Share this URL with users assigned to the JumpCloud application
  3. Users can also access Tallyfy through their JumpCloud user portal

What happens at login:

  • Existing Tallyfy account - they’re logged in automatically with JumpCloud credentials
  • No account yet - if auto-join is on and the user’s email is on a verified domain, Tallyfy creates an account on first login using the email, first name, and last name from JumpCloud. Verify your domain first under the Domains tab. See Domain verification.
SSO authentication flow
  • Steps 1-9 are the one-time self-serve setup you run yourself across Tallyfy and JumpCloud
  • Steps 10-16 happen every time a user logs in
  • Tallyfy auto-creates accounts for new users from a verified domain (step 15) using email and name attributes from JumpCloud

Can’t log in? Check these first:

  • Is the user assigned to the JumpCloud application?
  • Are attribute mappings exact? Names are case-sensitive - FirstName not firstname
  • Is the X.509 certificate still valid in JumpCloud?
  • Are users going to the SSO URL or JumpCloud portal - not the regular Tallyfy login page?
  • Is the application set to Active in JumpCloud?
  • Still stuck? Contact Tallyfy Support.

Certificate management - JumpCloud auto-generates and manages certificates when you activate an application. Monitor expiration dates in the JumpCloud Admin Portal.

User portal access - Users can access Tallyfy through their JumpCloud portal alongside other apps.

Just-in-time provisioning - User accounts in Tallyfy are created automatically on first SSO login from a verified domain. SCIM is optional but recommended for larger teams (see below).

Group-based access - Control Tallyfy access by assigning JumpCloud user groups rather than individual users.

SAML logs people in. SCIM keeps your roster in sync. With SCIM on, JumpCloud pushes user adds, updates, and deactivations to Tallyfy automatically, so you don’t rely on someone logging in first and you don’t pay for people who’ve left.

  1. In Tallyfy, go to Settings > Organization > Security > SCIM and turn SCIM on
  2. Copy the Base URL and the bearer token (the token is shown once, so store it safely)
  3. In JumpCloud, open your Tallyfy SAML app and go to the Identity Management tab
  4. Enable identity management, then paste the Tallyfy Base URL into the SCIM base URL field and the bearer token as the token
  5. Test the connection in JumpCloud, then assign user groups to provision them into Tallyfy

To map JumpCloud groups to Tallyfy roles, name the groups to match Tallyfy’s reserved group names (for example tallyfy-admins). Full details are in SCIM provisioning.