ºÚÁϺ£½Ç91Èë¿Ú

Integrate with ADP

Use ºÚÁϺ£½Ç91Èë¿Ú SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Automatically provision, update and deprovision users and groups in ADP from ºÚÁϺ£½Ç91Èë¿Ú using the Identity Management (SCIM) integration. Leverage this integration to centralize user lifecycle, user identity, and group management in ºÚÁϺ£½Ç91Èë¿Ú for ADP. Save time and avoid mistakes, as well as potential security risks, related to manually creating users.

Read this article to learn how to integrate with ADP. 

Prerequisites

  • A ºÚÁϺ£½Ç91Èë¿Ú administrator account
  • ºÚÁϺ£½Ç91Èë¿Ú SSO Package or higher or SSO à la carte option
  • An ADP user account with administrator permissions
  • ADP SSO add-on is required to use SSO
  • If configuring Identity Management
    • The ADP API add-on is required to access ADP's API
    • A Client ID and Secret from ADP (part of the API add on package)
    • A to use mTLS

Important Considerations

Attribute Considerations

  • A default set of attributes are managed for users. See the Attribute Mappings section for more details
  • It is highly recommended to map all of the listed optional ºÚÁϺ£½Ç91Èë¿Ú attributes. The dropdown shows all the optional user attributes that can be mapped to create a complete user profile.

Creating a new ºÚÁϺ£½Ç91Èë¿Ú Application Integration

  1. Log in to the .
  2. Go to USER AUTHENTICATION &²µ³Ù;ÌýSSO Applications.
  3. Click + Add New Application.
  4. Type the name of the application in the Search field and select it.
  5. Click Next.
  6. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

Note:

If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.

  1. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.

Warning:

The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.

  1. Click Save Application.
  2. If successful, click:
    • Configure Application and go to the next section
    • Close to configure your new application at a later time

Configuring the SSO Integration

To configure ºÚÁϺ£½Ç91Èë¿Ú 1

  1. Create a new application or select it from the Configured Applications list.
  2. Select the SSO tab.
  3. Copy and paste your ADP ACS_URL.
  4. Add or change any attributes.
  5. Click save.

Download the certificate

  1. Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
  2. Select the SSO tab and click IDP Certificate Valid > Download certificate.

Tip:

The certificate.pem will download to your local Downloads folder.

To configure ADP

  1. Contact your ADP representative to request that they complete the ADP side of the SAML configuration, providing them with the Issuer URL (ºÚÁϺ£½Ç91Èë¿Ú IdP Entity ID) and X.509 certificate downloaded in the previous step.
  2. When your ADP representative has confirmed that they have completed the ADP SAML setup, request the ADP Relay State for your app.

To configure ºÚÁϺ£½Ç91Èë¿Ú 2

  1. Open ADP from the Configured Applications list.
  2. Select the SSO tab.
  3. Paste the ADP Relay State received from your ADP representative in the Default Relay State field.
  4. Click Save.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to ºÚÁϺ£½Ç91Èë¿Ú, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the group of users you want to give access.
  5. Click save

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

  • Access the
  • Go to Applications and click an application tile to launch it
  • ºÚÁϺ£½Ç91Èë¿Ú asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

  • Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

Note:

This varies by SP.

  • Login redirects the user to ºÚÁϺ£½Ç91Èë¿Ú where the user enters their ºÚÁϺ£½Ç91Èë¿Ú credentials
  • After the user is logged in successfully, they are redirected back to the SP and automatically logged in

Configuring the Identity Management Integration

To configure ADP

  1. If you do not have your ADP Client ID and Secret, request it from ADP.
  2. A private key and matching Web Services (WS) Certificate is required to access ADP web services.

Note:

The WS Certificate provides client information to ADP and the matching private key confirms the authenticity of the client.

  • If successful - you will receive a success message and the fields for attribute mapping will appear.
  • unsuccessful - you will receive a failure notification that slides out from the right of the panel and the full error responses received from the service provider will be shown at the bottom of the Configuration Settings section.
  1. Create a CSR and to generate a security certificate.

Important:

The certificate has a lifespan of two years.

  1. Download the cert - choose the Certificate only, PEM encoded download option
  2. Use the Certificate, Private Key (from the CSR), Client ID and Client Secret to submit a bearer token request - Postman was used in this instance.
  3. Use the bearer token to authenticate to the API.

Important:

The token has a lifespan of an hour.

To configure ºÚÁϺ£½Ç91Èë¿Ú

  1. Create a new application or select it from the Configured Applications list.
  2. Select the Identity Management tab.
  3. Under Configuration settings > Service Provider Configuration > API Type, choose Custom API Import.
  4. Check Use mTLS authentication under Mutual TLS (mTLS). Add the following required files:
    • Private Key - click Choose File and then browse to and select the private key file
    • Certificate - click Choose File and then browse to and select the certificate file
  5. Click OAuth 2.0 and then select Client Credentials.
  6. Enter values in the following required fields:
    • Client ID - copy and paste the Client ID
    • Client Secret - copy and paste the Client Secret
    • Access Token URL - enter https://accounts.adp.com/auth/oauth/v2/token
  7. Leave the Scopes field blank.

Tip:

If multiple scopes need to be specified, separate each scope with a space.

  1. Under Endpoint Configuration in the Base URL field, enter https://api.adp.com/hr/v2

List Users

Location
  1. Resource Location - workers
  2. Method - This field is greyed out (not changeable) and is always set to GET.
  3. Endpoint Path - /workers?count=true
Total count
  1. Response Parameter Location - select Body
  2. Response Body JSON Path - meta.totalNumber
Pagination
  1. Limit Name - $top
  2. Offset NameÌý- $skip
  3. ³§±ð±ô±ð³¦³ÙÌýTest Connection.
    • If successful - you will receive a success message and the fields for attribute mapping will appear.
    • If unsuccessful - you will receive a failure notification that slides out from the right of the panel and the full error responses received from the service provider will be shown at the bottom of the Configuration Settings section.

Tip:

You can share the error message(s) with the service provider of the application to troubleshoot the issue.

User Schema Attribute Mappings

  1. Unique ID - associateOID
  2. User Status - workerStatus.statusCode.codeValue
  3. Inactive Status Values - Terminated,Retired,Deceased

Attribute Mappings

The following table lists attributes that ºÚÁϺ£½Ç91Èë¿Ú sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations. 

Learn about ºÚÁϺ£½Ç91Èë¿Ú Properties and how they work with system users in our . 

  1. After completing the mappings using the below table, click Preview Mappings to verify the mappings.
  2. If the mappings are correct, click Activate.

ADP User Attribute Mapping

ºÚÁϺ£½Ç91Èë¿Ú User Field in Admin Portal Service Provider Attribute Notes
Company Email businessCommunication.emails[0].emailUri Maps to the person's business email address
Username businessCommunication.emails[0].emailUri Username portion of the person's business email address is extracted and stored that as the username in ºÚÁϺ£½Ç91Èë¿Ú.
First Name {{ or .person.preferredName.givenName .person.legalName.givenName }} Expression that will store the person's preferred given (first) name in ºÚÁϺ£½Ç91Èë¿Ú if it is populated in ADP. Otherwise, it will store the person's legal first name.
Last Name {{ or .person.preferredName.familyName1 .person.legalName.familyName1 }} Expression that will store the person's preferred family (last) name in ºÚÁϺ£½Ç91Èë¿Ú if it is populated in ADP. Otherwise, it will store the person's legal first name.
Alternate Email person.communication.emails[0].emailUri
Job Title workAssignments[0].jobTitle Populates the person's current job title in ºÚÁϺ£½Ç91Èë¿Ú
Department workAssignments[0].assignedOrganizationalUnits[0].nameCode.shortName
Location person.legalAddress.countryCode The country code from the person's home address
Employee Type workAssignments[0].workerTypeCode.shortName
Employee Identifier workerID.idValue
DisplayName {{{ or .person.preferredName.givenName .person.legalName.givenName }} {{ or .person.preferredName.familyName1 .person.legalName.familyName1 }}} The concatenation of the person's preferred given (first) name or their legal name and their preferred family (last) name depending on what is populated in ADP.
Work Country workAssignments[0].assignedWorkLocations.address.countryCode
Work City workAssignments[0].assignedWorkLocations.address.cityName
Work PO Box
Work Postal Code workAssignments[0].assignedWorkLocations.postalCode
Work State workAssignments[0].homeWorkLocation.nameCode.shortName
Work Street Address {{ .workAssignments[0].assignedWorkLocations.address.line1}} {{ .workAssignments[0].assignedWorkLocations.address.line2}} Concatenation of all street address lines

Importing New Users and Updates

  1. Select the ADP app from the Configured Applications list.
  2. Select the Identity Management tab.
  3. There are several settings available for importing users from your custom application to ºÚÁϺ£½Ç91Èë¿Ú. Warning: Selected import options will apply to both manual and scheduled imports. 
    • Expand the Import Users section.
      • Manual Import - clicking the Start Manual Import button kicks off the process flow for doing an immediate and one-time import of users from your custom application to ºÚÁϺ£½Ç91Èë¿Ú. 
      • Scheduled Imports (hourly) - enabled by default for all new connectors. The first scheduled import will start within an hour after the new connector is saved. Scheduled imports will then run at the same time every hour as the initial scheduled import. Important: Any connectors created prior to the availability of scheduled imports will have this option disabled. To run scheduled imports, you must enable this option.
      • Selecting the Receive summary email after each scheduled import results in user import complete emails being sent after each hourly import. Tip: It's recommended to enable this for the first few scheduled imports to ensure the imports are running correctly. 
    • In the Import Settings section, you can optionally choose:
      • Allow reactivation of users on update. Checking the box for this setting will result in the user state changing from Suspended to Active in ºÚÁϺ£½Ç91Èë¿Ú when a user’s status changes from either Leave or Inactive to Onboarding or Active in your custom application.  
      • Apply Advanced Filters on import (optional). See your custom application's API documentation for available filters.

To start a manual user import

  1. Expand the Import Users section and click Start Manual Import.
  2. Select one of the following options: 
    • Import new users and user updates
    • Only import new users
    • Only import user updates
    • View and select specific new users to import (updates not supported)

Note:

If the option selected includes user updates, the following will occur:

  • Any and all changes made to the mapped user attributes in the source application will be made in ºÚÁϺ£½Ç91Èë¿Ú.
  • Users whose statuses change to one of the defined inactive status will be automatically suspended in ºÚÁϺ£½Ç91Èë¿Ú.
  • If Allow reactivation of users on update is checked, suspended users in ºÚÁϺ£½Ç91Èë¿Ú, whose status change from the defined inactive statuses to ones that are not defined as inactive, will have their user state changed back to Active in ºÚÁϺ£½Ç91Èë¿Ú.
  1. Click Continue.
  2. If you selected the View and select specific new users to import (updates not supported).
    • Select the users you want to import.

Note:

Free accounts can import unlimited users, but will be prompted to upgrade to a paid subscription after 30 days. Similarly, accounts managed by an MSP, that have a license limit, are only allowed to import users up to their license limit and will be prompted to contact their provider once that limit is reached.

  1. The count of users to be imported will show at the bottom left hand of the list. If this is correct, click Import
  2. Review the information in the results modal.
  3. Click one of the tiles to navigate to the Users page, User Groups page, or Device Groups page or close the modal.​

Note:

If you close this modal, you will return to the Identity Management configuration panel.

  1. You will receive a User Import Complete email with a summary of the import results and a link for downloading a copy of the import results.
  2. You can now connect users to all their ºÚÁϺ£½Ç91Èë¿Ú resources. Learn more in the Authorize Users to an SSO App and Connect New Users to Resources articles.

Note:

Imported users must be members of a user group bound to an application  for ºÚÁϺ£½Ç91Èë¿Ú to manage their identity in and access to the application.

SCIM Directory Insights Events

The following Directory Insights (DI) events provide visibility into failures and detailed information about the user and group data being added or updated from HR or other external solutions to ºÚÁϺ£½Ç91Èë¿Ú.

Note:

Customers with no package or the Device Management Package will need to add the Directory Insights à la carte option. Directory Insights is included in all other .

SCIM DI Integration Events

Event Name Event Description
idm_integration_activate Logged when an IT admin attempts to activated new SCIM Identity Management integration.
idm_integration_update Logged when an IT admin attempts to update a configured and activated SCIM Identity Management integration.
idm_integration_reauth Logged when an IT admin attempts to change the credentials for an activated SCIM Identity Management integration.
idm_integration_delete Logged when an IT admin attempts to deactivate an activated SCIM Identity Management integration.

SCIM DI User Events

Event Name Event Description
user_create_provision Logged when ºÚÁϺ£½Ç91Èë¿Ú tries to create a new user in service provider application.
user_update_provision Logged when ºÚÁϺ£½Ç91Èë¿Ú tries to update an existing user in service provider application.
user_deprovision Logged when ºÚÁϺ£½Ç91Èë¿Ú tries to change an existing user to inactive in the service provider application.
user_delete_provision Logged when ºÚÁϺ£½Ç91Èë¿Ú tries to delete an existing user in service provider application.
user_lookup_provision Logged when ºÚÁϺ£½Ç91Èë¿Ú encounters an issue when trying to lookup a user to determine if the user needs to be created or updated.

Removing the Integration

Important:

These are steps for removing the integration in ºÚÁϺ£½Ç91Èë¿Ú. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and ºÚÁϺ£½Ç91Èë¿Ú may result in users losing access to the application.

To deactivate the IdM Integration

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
  5. Click confirm
  6. If successful, you will receive a confirmation message.

To deactivate the SSO Integration or Bookmark

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to deactivate and click to open its details panel. 
  4. Select the SSO or Bookmark tab.
  5. Scroll to the bottom of the configuration.
  6. Click Deactivate SSO or Deactivate Bookmark
  7. Click save
  8. If successful, you will receive a confirmation message.

To delete the application

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.

Warning: Imported users must be members of a user group bound to an application for ºÚÁϺ£½Ç91Èë¿Ú to manage their identity in, and access to, the application.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case