ºÚÁϺ£½Ç91Èë¿Ú

Integrate with Bob

The Bob (HiBob) integration automates user creation, updates, and deprovisioning in ºÚÁϺ£½Ç91Èë¿Ú based on events that occur in Bob. The automation creates efficiencies for IT and HR by reducing manual processes related to onboarding new hires, role changes, and offboarding. It also reduces security concerns related to manual data entry and access based on outdated user data.

Read this article to learn how to configure the Bob Integration.

Prerequisites

  • A ºÚÁϺ£½Ç91Èë¿Ú administrator account
  • ºÚÁϺ£½Ç91Èë¿Ú SSO Package or higher or SSO à la carte option
  • A ºÚÁϺ£½Ç91Èë¿Ú API key to connect Bob and ºÚÁϺ£½Ç91Èë¿Ú
  • A Bob administrator account
  • If you will be configuring SSO, request your company ID from HiBob support
  • Review the latest article in the HiBob Help Center.

Important Considerations

  • If an employee is not assigned to any SSO provider they will be able to log in to Bob using only their Bob username and password
  • Each employee can be assigned to only one SSO provider
  • If all employees are required to log in using SSO, you will not be able to set up any additional SSO integrations with Bob
  • If you select people by condition and an employee who is currently assigned to another SSO is included in the conditions they will not be able to log in to Bob
  • We recommend creating a separate ºÚÁϺ£½Ç91Èë¿Ú administrator account to generate the ºÚÁϺ£½Ç91Èë¿Ú API key for this integration
  • To use the Staged user state in ºÚÁϺ£½Ç91Èë¿Ú, contact the HiBob’s support team and ask them to change the default behavior. By default, the Bob integration will only create the user in an Active or Suspended (inactive) user state unless they change this default behavior
    • We recommend setting your user state default to Staged to make it easier to identify users who have been imported and to complete the onboarding process without granting access. You can learn more about the Staged user state at Manage User States
  • To automatically send the ºÚÁϺ£½Ç91Èë¿Ú activation email when the integration changes the user state of a user from Staged to Active in ºÚÁϺ£½Ç91Èë¿Ú, contact your Bob implementation manager to submit an engineering request or contact the HiBob Support Team to create support ticket to enable this functionality.
  • We recommend that you do not set a default password in Bob. Setting a default password prevents you from being able to send an Activation email allowing the user to set their own password. You can set one later in ºÚÁϺ£½Ç91Èë¿Ú if needed
  • Bob users created before the ºÚÁϺ£½Ç91Èë¿Ú integration was configured will be synchronized in ºÚÁϺ£½Ç91Èë¿Ú once one of the mapped properties is updated for those users in Bob
  • Bob users not in ºÚÁϺ£½Ç91Èë¿Ú will be created
  • Bob users who have already been created in ºÚÁϺ£½Ç91Èë¿Ú will be updated 
  • You can request HiBob's support team to trigger an all employees' synchronization to ºÚÁϺ£½Ç91Èë¿Ú
  • The Bob integration is managed and supported by the HiBob team. Please contact the HiBob support team first if you encounter issues with the integration

Configuring the Identity Management Integration

To get your ºÚÁϺ£½Ç91Èë¿Ú API Key

Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.

Warning:

Once a new API key is generated, this revokes access to the current API key. 

  1. Log in to the with the administrator account you want to use to generate the API key for this integration.
  2. Click your initials in the top right corner.
  3. Select My API Key.
  4. Click on Generate New API Key.
  5. Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.

Important:

This is the only time your API key will be visible to you. Store it somewhere safe, such as the ºÚÁϺ£½Ç91Èë¿Ú Password Manager, so you can access it later.

To configure the ºÚÁϺ£½Ç91Èë¿Ú default user state

Tip:

Review Manage User States for more information.

  1. Log in to the .
  2. Navigate to Users > Settings.
  3. Set Manual / Single User API and CSV Import / Bulk User API Import values to the default user state you prefer for users created by the integration
  4. Click Save.

To configure the ºÚÁϺ£½Ç91Èë¿Ú integration in Bob

Tip:

The Identity Management Integration is solely configured in Bob. Review Bob's for more information.

  1. Login to with an administrator account.
  2. From the left bottom menu, navigate to Settings > Integrations.
  3. Under Provisioning, select MANAGE in the ºÚÁϺ£½Ç91Èë¿Ú tile.
  4. Click + Add connection.

Note:

You can add multiple connections.

  1. Enter a name for your connection and your ºÚÁϺ£½Ç91Èë¿Ú API key.
  2. Click Connect.
  3. In the Provision settings section, click Edit (pencil).
  4. When to provision - select when you want users created in ºÚÁϺ£½Ç91Èë¿Ú:
    • On profile creation in Bob
    • On start date
    • Before start date (specify number of days)
  1. Who to provision - select the users to be synced to ºÚÁϺ£½Ç91Èë¿Ú:
    • All Employees
    • Select by condition - users meeting a certain condition, or a chosen set of users
    • Select by name - the list can be further filtered to users whose work email address matches a specified domain(s)
  1. Default user settings - select the value for What status do users in Jumpcloud start with? This controls in which user state a user is created. The choices are:
    • Inactive until start date - creates users in the suspended user start and the automatically changes the user state to active them on their start date. Resources cannot be assigned to users when they are in a suspended user state in ºÚÁϺ£½Ç91Èë¿Ú
    • Active - creates users in the active user state. User have access to all assigned resource when they are in an active user state
    • Inactive - creates users in the suspended user state

Note:

If you want user created in the Staged user state, which is recommended, you must contact Bob support and have that option enabled.

  1. Deactivation:
    • Enabled - users are automatically suspended in ºÚÁϺ£½Ç91Èë¿Ú when they are made inactive or deleted in Bob. (recommended)
    • Disabled - the user state remains unchanged in ºÚÁϺ£½Ç91Èë¿Ú when they are made inactive or deleted in Bob
  2. User credentials:
    • Enabled - all users are created with the specified default password in ºÚÁϺ£½Ç91Èë¿Ú
    • Disabled - a user is created without a password in ºÚÁϺ£½Ç91Èë¿Ú. (recommended)
  3. Scroll back to the top of the Provisioning settings and click Save.
  4. Data mapping - select your desired attributes to be sent from Bob into ºÚÁϺ£½Ç91Èë¿Ú and click Save when finished. You can also create custom attributes to map to ºÚÁϺ£½Ç91Èë¿Ú by clicking on the + Add field button at the bottom of the section.

Tip:

Refer to Bob's article for more information.

Bob User Attributes

Bob Field NameÌý ºÚÁϺ£½Ç91Èë¿Ú Attribute ºÚÁϺ£½Ç91Èë¿Ú UI Field Name Notes
Email email Email REQUIRED
Display Name OR Define the mapping type as "Text and fields" and the Bob data as Basic Info - First Name.Basic Info - Last Name OR Define a username custom attribute on the user record username Username Depending on your username naming convention, there are a few options you can set as the Bob Field Name. We suggested a few. If you select Display Name, the space between the first and last names will be removed, so the username will be firstlast. Regardless of the option you choose, confirm that the value adheres to the username requirements outlined in ºÚÁϺ£½Ç91Èë¿Ú's naming conventions
First name firstname First Name Ìý
Surname lastname Last Name Ìý
Middle name middlename Middle Name Ìý
Display name displayname Display Name Ìý
Work phone phonenumbers[{type:work}] Work Phone Ìý
Work mobile phonenumbers[{type:cell}] Work Cell Ìý
Title jobTitle Job Title Ìý
Department department Department Ìý
Employee ID employeeIdentifier Employee ID Ìý
Site location Location Ìý
Employment type employeeType Employee Type Ìý
Employee status state User state The state value set for new users, staged or active, is determined by the integration settings in Bob.

ºÚÁϺ£½Ç91Èë¿Ú custom fields mapping

Note:

Up to 10 custom attributes can be used.

If you have created custom fields in ºÚÁϺ£½Ç91Èë¿Ú they will not appear in the list of available fields to map to.

However, you can create a new custom field in ºÚÁϺ£½Ç91Èë¿Ú directly from the Provisioning settings in Bob and map it to any Bob field.

  1. Click + Add field.
  2. In the Bob data column, select the Bob field.
  3. In the ºÚÁϺ£½Ç91Èë¿Ú field column, select Custom field 1 (or 2-10).

When the data is synced, a new custom field will be created in ºÚÁϺ£½Ç91Èë¿Ú with the same name as the Bob field.

Syncing Users

  • Users are automatically created in ºÚÁϺ£½Ç91Èë¿Ú when new hires are added to Bob
  • Users are automatically updated when changes are made to employee profiles
  • User are automatically deactivated in ºÚÁϺ£½Ç91Èë¿Ú when employees leave the company if the Deactivation option is enabled
  • A manual sync can be triggered at any time:
    • Login to with an administrator account
    • From the left menu, select Settings > Integrations
    • In the Provisioning category, click Manage the ºÚÁϺ£½Ç91Èë¿Ú thumbnail
    • Scroll down to the Manual syncs section
    • Click Sync Now
    • You can download the manual sync results
    • You can see the status of each record in the Synced records section

User Sync Troubleshooting

You can see the status of each user record for which a sync was attempted in the Synced user section. If there was a failure, click on the stacked ellipses menu and choose details. A window will show detailed error message information.

Configuring the SSO Integration 

To configure ºÚÁϺ£½Ç91Èë¿Ú

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for and select Bob.
  4. Select the SSO tab.
  5. In the ACS URLs section:
    • Replace YOUR_ID with your company ID provided by HiBob support (you can obtain this in the next section if you do not have it)
    • Ensure that Declare Redirect Endpoint is checked
  6. Select save.

Download the ºÚÁϺ£½Ç91Èë¿Ú metadata file

  1. Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
  2. Select the SSO tab and click Export Metadata.
  3. The ºÚÁϺ£½Ç91Èë¿Ú-<applicationname>-metadata.xml will be exported to your local Downloads folder.

Tip:

Metadata can also be downloaded from the Configured Applications list. Search for and select the application in the list and then click Export Metadata in the top right corner of the window.

To configure Bob

  1. Login to with an administrator account.
  2. From the left bottom menu, navigate to Settings > Integrations > SSO.
  3. Click Connect on the ºÚÁϺ£½Ç91Èë¿Ú tile and then click Set up.
    • Company ID - copy this value if you have not already obtained it from Bob support
    • Metadata file from ºÚÁϺ£½Ç91Èë¿Ú - click Upload to search for and select the ºÚÁϺ£½Ç91Èë¿Ú metadata file generated in the previous section
    • Who to include:
      • All Employees
      • Select by condition - users meeting a certain condition, or a chosen set of users
      • Select by name - the list can be further filtered to users whose work email address matches a specified domain(s)
  4. Click Save.

Note:

In ºÚÁϺ£½Ç91Èë¿Ú, if you have not configured the SSO ACS URL, replace YOUR_ID with your Bob Company ID.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to ºÚÁϺ£½Ç91Èë¿Ú, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the group of users you want to give access.
  5. Click save

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

  • Access the
  • Go toÌýApplications and click an application tile to launch it
  • ºÚÁϺ£½Ç91Èë¿Ú asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

  • GoÌýto the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

Note:

This varies by SP.

  • Login redirects the user to ºÚÁϺ£½Ç91Èë¿Ú where the user enters their ºÚÁϺ£½Ç91Èë¿Ú credentials
  • After the user is logged in successfully, they are redirectedÌýback to the SP and automatically logged in

Removing the Identity Management Integration

  1. From the top left, click Bob products > System settings.
  2. From the left menu, select Integrations.
  3. From the dropdown in the upper right change All Apps to Connected Apps
  4. Click Manage on the ºÚÁϺ£½Ç91Èë¿Ú tile
  5. Click the three-dot menu at the end of the row
  6. Select Remove
  7. Type REMOVE
  8. Click Remove

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case