JumpCloud SSO with QuFabric Self-Hosted
JumpCloud is a cloud-based directory platform that provides identity, access, and device management. It offers single sign-on (SSO), multi-factor authentication (MFA), and centralized user management.
Management Setup (Recommended)
Add JumpCloud as an external IdP directly in the QuFabric Management Dashboard. This is the simplest approach and recommended for most deployments.
Prerequisites
- QuFabric self-hosted with embedded IdP enabled
- JumpCloud account with admin permissions
Step 1: Start Creating OIDC Application in JumpCloud
- Navigate to JumpCloud Admin Portal
- Click SSO Applications under USER AUTHENTICATION
- Click Add New Application → Custom Application
- Confirm Custom application and click Next
- Select Manage Single Sign-On (SSO) and check Configure SSO with OIDC
- Click Next
- Enter Display Label:
QuFabric - Click Next
- Review and click Configure Application
- On the SSO tab, configure:
- Redirect URIs:
https://<your-qufabric-domain>/oauth2/callback(you'll verify this matches exactly in Step 3) - Client Authentication Type:
Client Secret POST - Login URL:
https://<your-qufabric-domain>/
- Redirect URIs:
- Under Attribute Mapping, enable:
- Email scope
- Profile scope
- Click Save to save the SSO configuration
- Click the User Groups tab and select at least one user group that can access QuFabric
- Don't click Activate yet — keep this tab open and proceed to Step 2
Sometimes, the JumpCloud application configuration will add duplicate attributes, like email and email_verified. Remove any duplicates if they appear.
Step 2: Get Redirect URL from QuFabric
- Open a new tab or window and log in to your QuFabric Dashboard
- Navigate to Settings → Identity Providers
- Click Add Identity Provider
- Fill in the fields:
| Field | Value |
|---|---|
| Type | Generic OIDC |
| Name | JumpCloud (or your preferred display name) |
| Client ID | From JumpCloud application (will fill after Step 3) |
| Client Secret | From JumpCloud application (will fill after Step 3) |
| Issuer | https://oauth.id.jumpcloud.com/ (must include trailing slash) |
Important: The Issuer must be exactly https://oauth.id.jumpcloud.com/ (with trailing slash) to match what JumpCloud returns. If you enter it without the trailing slash, the connector will fail to initialize.
- Copy the Redirect URL that QuFabric displays (but don't click Add Provider yet)
Step 3: Complete JumpCloud Application Setup
- Return to the JumpCloud tab
- Click the SSO tab
- Under Redirect URIs, verify the redirect URL matches the exact URL you copied from QuFabric (e.g.,
https://qufabric.hopkins.sh/oauth2/callback). If it doesn't match exactly, update it to match. - Click Save (if you made any changes)
- Click Activate
- Note the Client ID and Client Secret — you'll need these for Step 4
Step 4: Complete QuFabric Setup
- Return to the QuFabric tab
- Fill in the Client ID and Client Secret from Step 3
- Click Add Provider
Step 5: Test the Connection
- Log out of QuFabric Dashboard
- On the login page, you should see a "JumpCloud" button
- Click it and authenticate with your JumpCloud credentials
- You should be redirected back to QuFabric and logged in. Unless your user approval setting were changed you will need to log back into your local admin account to approve the user.
Configuring JWT 'groups' Claim
To sync JumpCloud groups with QuFabric, you need to enable the group attribute in your JumpCloud OIDC application.
Step 1: Enable Group Attributes in JumpCloud
- In JumpCloud Admin Portal, go to Access → SSO Applications
- Select your QuFabric application
- Go to the SSO tab
- Under Attribute Mapping, find the Group Attributes section
- Check Include group attribute
- In Groups Attribute Name, enter:
groups - Click Save
Step 2: Assign User Groups to the Application
- In your QuFabric application, go to the User Groups tab
- Select the groups whose members should have access to QuFabric
- Click Save
Users will receive group claims based on which assigned groups they belong to.
Step 3: Enable JWT Group Sync in QuFabric
- In QuFabric Dashboard, go to Settings → Groups
- Enable JWT group sync
- Set JWT claim to
groups - Optionally configure JWT allow groups to restrict access
Known issue: If a user belongs to only one group, JumpCloud may return it as a string instead of an array, which can cause issues. Ensure users are members of at least two groups for consistent behavior, or test with your specific setup.
Standalone Setup (Advanced)
Use JumpCloud as your primary identity provider instead of QuFabric's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced JumpCloud administrators as it also requires additional setup and ongoing maintenance.
For most deployments, the embedded IdP is the simpler choice — it's built into QuFabric, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the Management Setup (Recommended) section above.
For detailed instructions on the standalone setup, see the JumpCloud SSO with QuFabric Self-Hosted (Legacy) documentation.
If you prefer to have full control over authentication, consider self-hosted alternatives like PocketID.
Troubleshooting
"Connector failed to initialize" error
- Ensure Attribute Mapping has both Email and Profile scopes enabled
- Verify at least one User Group is assigned to the application before activation
- Check that Redirect URIs exactly matches the URL from QuFabric (no trailing slashes)
- Ensure Client Authentication Type is set to
Client Secret POST - Verify Login URL matches your QuFabric domain exactly
- Make sure the application is Activated and you have the correct Client ID and Client Secret
- Remove any duplicate attributes in Attribute Mapping (e.g.,
emailandemail_verified)
"Invalid redirect URI" error
- Ensure all redirect URIs are configured in JumpCloud
- Check for trailing slashes
- Verify URLs match exactly
Users can't access QuFabric
- Verify the user belongs to an assigned user group
- Check that the user group is assigned to the QuFabric application