some file

JumpCloud SSO with NetBird Self-Hosted

JumpCloud is a cloud-based directory platform that provides identity, access, and device management. It offers single sign-on (SSO), multi-factor authentication (MFA), and centralized user management.

Add JumpCloud as an external IdP directly in the NetBird Management Dashboard. This is the simplest approach and recommended for most deployments.

Prerequisites

  • NetBird self-hosted with embedded IdP enabled
  • JumpCloud account with admin permissions

Step 1: Start Creating OIDC Application in JumpCloud

  1. Navigate to JumpCloud Admin Portal
  2. Click SSO Applications under USER AUTHENTICATION

SSO Applications

  1. Click Add New ApplicationCustom Application

Custom Applications

  1. Confirm Custom application and click Next
  2. Select Manage Single Sign-On (SSO) and check Configure SSO with OIDC

SSO with OIDC

  1. Click Next
  2. Enter Display Label: NetBird
  3. Click Next
  4. Review and click Configure Application
  5. On the SSO tab, configure:
    • Redirect URIs: https://<your-netbird-domain>/oauth2/callback (you'll verify this matches exactly in Step 3)
    • Client Authentication Type: Client Secret POST
    • Login URL: https://<your-netbird-domain>/
  6. Under Attribute Mapping, enable:
    • Email scope
    • Profile scope
  7. Click Save to save the SSO configuration
  8. Click the User Groups tab and select at least one user group that can access NetBird
  9. Don't click Activate yet — keep this tab open and proceed to Step 2

Sometimes, the JumpCloud application configuration will add duplicate attributes, like email and email_verified. Remove any duplicates if they appear.

Step 2: Get Redirect URL from NetBird

  1. Open a new tab or window and log in to your NetBird Dashboard
  2. Navigate to SettingsIdentity Providers
  3. Click Add Identity Provider
  4. Fill in the fields:
FieldValue
TypeGeneric OIDC
NameJumpCloud (or your preferred display name)
Client IDFrom JumpCloud application (will fill after Step 3)
Client SecretFrom JumpCloud application (will fill after Step 3)
Issuerhttps://oauth.id.jumpcloud.com/ (must include trailing slash)

Important: The Issuer must be exactly https://oauth.id.jumpcloud.com/ (with trailing slash) to match what JumpCloud returns. If you enter it without the trailing slash, the connector will fail to initialize. See the "Issuer did not match" troubleshooting section for how to fix this if you encounter this error.

  1. Copy the Redirect URL that NetBird displays (but don't click Add Provider yet)

Copy redirect URL

Step 3: Complete JumpCloud Application Setup

  1. Return to the JumpCloud tab
  2. Click the SSO tab
  3. Under Redirect URIs, verify the redirect URL matches the exact URL you copied from NetBird (e.g., https://netbird.hopkins.sh/oauth2/callback). If it doesn't match exactly, update it to match.
  4. Click Save (if you made any changes)

Configure JumpCloud SSO

  1. Click Activate
  2. Note the Client ID and Client Secret — you'll need these for Step 4

Client IDs

Step 4: Complete NetBird Setup

  1. Return to the NetBird tab
  2. Fill in the Client ID and Client Secret from Step 3

JumpCloud configuration

  1. Click Add Provider

Step 5: Test the Connection

  1. Log out of NetBird Dashboard
  2. On the login page, you should see a "JumpCloud" button
  3. Click it and authenticate with your JumpCloud credentials
  4. You should be redirected back to NetBird and logged in. Unless your user approval setting were changed you will need to log back into your local admin account to approve the user.

Standalone Setup (Advanced)

Use JumpCloud as your primary identity provider instead of NetBird's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced JumpCloud administrators as it also requires additional setup and ongoing maintenance.

For most deployments, the embedded IdP is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the Management Setup (Recommended) section above.

Prerequisites

  • JumpCloud account with admin permissions (sign up at https://jumpcloud.com/)
  • Docker and Docker Compose for NetBird

Step 1: Create and Configure SSO Application

  1. Navigate to Admin Portal
  2. Click SSO Applications under USER AUTHENTICATION
  3. Click Add New ApplicationCustom Application

New SSO app

  1. Confirm Custom application selected and click Next

Confirm selection

  1. Select Manage Single Sign-On (SSO) and check Configure SSO with OIDC
  2. Click Next

SSO features

  1. Enter Display Label: NetBird
  2. Click Next

General info

  1. Review and click Configure Application

Confirmation

  1. On the SSO tab, configure:
    • Redirect URIs:
      • https://<domain>/silent-auth
      • https://<domain>/auth
      • http://localhost:53000
    • Client Authentication Type: Public (None PKCE)
    • Login URL: https://<domain>

SSO configuration

  1. Under Attribute Mapping (optional):
    • Standard Scopes: Email, Profile

Attribute configuration

  1. Click User Groups tab and select groups that can access the application

User groups

  1. Click Activate

OIDC app

  1. Note the Client ID

Step 2: Create Administrator for Integration

The NetBird management system requires an API token to get user information from JumpCloud.

If you already have an integration user, confirm it has the required role and skip to Step 3.

  1. Navigate to Admin Portal
  2. Go to Settings and click the add button (+)
  3. Fill in:
    • First Name: NetBird
    • Last Name: Integration
    • Administrator Email: netbird-user@<yourdomain>
    • Role: Read Only
  4. Click Save

Add admin user

Optional: To enable automatic user deletion from JumpCloud when deleted from NetBird, add the --user-delete-from-idp flag to the management startup command and assign the Help Desk role instead.

  1. Check email for login instructions and set a password

Step 3: Generate API Token

  1. Log in to Admin Portal with the integration user
  2. Click the account initials (top-right) → My API Key

Profile

  1. If no key exists, click Generate New API Key
  2. Copy the API token

API key generation

Step 4: Configure NetBird

Set properties in the setup.env file:

NETBIRD_DOMAIN="<YOUR_DOMAIN>"
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://oauth.id.jumpcloud.com/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="<CLIENT_ID>"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access"
NETBIRD_AUTH_CLIENT_ID="<CLIENT_ID>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_TOKEN_SOURCE="idToken"

NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"

NETBIRD_MGMT_IDP="jumpcloud"
NETBIRD_IDP_MGMT_EXTRA_API_TOKEN="<API_TOKEN>"

Step 5: Continue with NetBird Setup

You've configured all required resources in JumpCloud. Continue with the NetBird Self-hosting Guide.

Troubleshooting

"Issuer did not match" or "Unauthenticated" error

If you see an error like:

FATL ... oidc: issuer did not match the issuer returned by provider, expected "https://oauth.id.jumpcloud.com" got "https://oauth.id.jumpcloud.com/"

This means there's a trailing slash mismatch in the Issuer URL. OIDC validation is strictly character-for-character.

The Cause:

  • Configured in NetBird: https://oauth.id.jumpcloud.com (missing trailing slash)
  • Returned by JumpCloud: https://oauth.id.jumpcloud.com/ (has trailing slash)

Because the service fails to initialize the IDP manager, the Management container will often crash or restart loop, making it impossible to fix this via the Web UI.

Resolution:

If you can still access NetBird Dashboard:

  1. Navigate to SettingsIdentity Providers
  2. Edit the JumpCloud identity provider
  3. Change the Issuer field to exactly https://oauth.id.jumpcloud.com/ (with trailing slash)
  4. Click Save
  5. Restart the management container: docker restart netbird-management

If you cannot access the dashboard (locked out), you must fix it directly in the SQLite database:

  1. Locate the Volume:

    docker volume inspect root_netbird_management
# Look for "Mountpoint", e.g., /var/lib/docker/volumes/root_netbird_management/_data

  2. Access the Database:

    cd /var/lib/docker/volumes/root_netbird_management/_data

# Backup the database first!
cp idp.db idp.db.bak

# Open the database
sqlite3 idp.db

  3. Update the Issuer URL: Inside the SQLite prompt, run the following:

    -- Check current config to confirm missing slash
SELECT config FROM connector;

-- Update the config to add trailing slash to match JumpCloud
UPDATE connector 
SET config = replace(config, 'jumpcloud.com"', 'jumpcloud.com/"') 
WHERE config LIKE '%jumpcloud.com"%';

-- Verify the change
SELECT config FROM connector;

-- Exit
.quit

  4. Restart Service:

    docker restart netbird-management

The service should now start successfully, and the error should be resolved.

"Connector failed to initialize" error

  • Ensure Attribute Mapping has both Email and Profile scopes enabled
  • Verify at least one User Group is assigned to the application before activation
  • Check that Redirect URIs exactly matches the URL from NetBird (no trailing slashes)
  • Ensure Client Authentication Type is set to Client Secret POST
  • Verify Login URL matches your NetBird domain exactly
  • Make sure the application is Activated and you have the correct Client ID and Client Secret
  • Remove any duplicate attributes in Attribute Mapping (e.g., email and email_verified)

"Invalid redirect URI" error

  • Ensure all redirect URIs are configured in JumpCloud
  • Check for trailing slashes
  • Verify URLs match exactly

Users can't access NetBird

  • Verify the user belongs to an assigned user group
  • Check that the user group is assigned to the NetBird application

API token not working

  • Verify the integration user has appropriate permissions
  • Generate a new API token if the current one is invalid

Device authorization not available

  • JumpCloud has limited device auth support
  • Set NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"