Configure Google Workspace as an Identity Provider

Integrate an existing Identity Provider (IdP) with JumpCloud to allow users to securely authenticate using their IdP credentials to gain access to their managed resources. 

Prerequisites

• You need to have a Google Cloud account with the permission to create new Google Cloud Projects . 
• You need to have Admin with Billing permissions to configure an IdP. 

Considerations

• Federated authentication will be applied to only specific user groups. See Routing Policies for Identity Providers to learn more.
• Creating the IdP won’t automatically result in users logging in with that IdP.
• User Portal access will be available with a federated login. If you don’t want User Portal access, you can create a policy to deny this, see Get Started: Conditional Access Policies to learn more. 
• In order to provision users from your Google Workspace directory to JumpCloud, see Configure the Google Cloud Directory Sync to learn more.
• If you have third party SSO for your organization turned on in Google Workspace, you’ll need to turn it off for it to work with JumpCloud. See Configuring an Organization-wide Third Party SSO Profile to learn more.

Preparing your IdP to Configure with JumpCloud

To prepare your connection:

1. Log in to your Google Cloud Console.
2. Next to the logo in the top left corner, click the dropdown menu, then in the top right corner of the modal, click NEW PROJECT. Name it something associated with JumpCloud, like ‘JumpCloud OIDC’ and click CREATE.

3. Navigate to APIs & Services, then in the left menu, click OAuth consent screen. 
4. Under User Type, select Internal, then click CREATE.

5. On the App Information page, enter an App name*, something associated with JumpCloud, like ‘JumpCloud OIDC’.
6. In the next dropdown menu, select a User support email*.
7. The sections App logo and App domain are optional fields.

8. Scroll down to Authorized domains, under Authorized domain 1*, enter jumpcloud.com
9. Under Developer contact information, enter an Email address*. 
10. Click SAVE AND CONTINUE.

11. On the next page, you can manage the scopes. Click ADD OR REMOVE SCOPES.
12. Select the first three scopes; email, openID, and profile. 
13. Click UPDATE. 

14. On the Scopes page, click SAVE AND CONTINUE.
15. On the Summary page, verify the app registration is correct, then click BACK TO DASHBOARD. 

16. Under APIs & Services, click Credentials > + CREATE CREDENTIALS, and select OAuth client ID from the dropdown menu.

17. On the next page, click the Application type* dropdown menu and select Web application.
18. Then, enter a Name*, something associated with JumpCloud, like ‘JumpCloud OIDC’.
19. Under Authorized redirect URIs, enter https://login.jumpcloud.com/oauth/callback
20. Click CREATE.

21. You’ll get a successful OAuth client created modal with the Client ID, Client secret, Creation date, and Status. 
22. Copy the Client ID and Client secret to your clipboard. You’ll need these to configure Google Cloud in JumpCloud. Then click OK to exit out of the modal. 

Now, you have a connection to JumpCloud in Google Cloud. Next, you’ll want to configure the connection in JumpCloud.'

Configuring Google Cloud as an IdP in JumpCloud

To configure Google Cloud:

1. Log in to your JumpCloud Admin Portal.
2. Click DIRECTORY INTEGRATIONS > Identity Providers.
3. Click the Add Identity Provider dropdown menu, and select Google. 
4. Enter an Identity Provider Name* as a display name (i.e. Google OIDC).
5. Under Google IdP URL*, enter https://accounts.google.com. 
6. For Client ID*, paste in the first URL that you copied into your clipboard. 
7. For Client Secret, paste in the secret that you copied into your clipboard. 
8. Click Save. 

Managing the IdP 

To manage the IdP:

1. From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
2. You can update the name, Google IdP URL, Client ID, and Client Secret. 
3. Under Authentication, you’ll see that Federation is applied to your users, allowing them to authenticate with an IdP. 
4. Under Device Account Provisioning, you can configure either Self Service Account Provisioning or Automated Device Enrollment for whichever OS you’re provisioning. The Status displays either Enabled or Disabled accordingly, click Configure to edit.
   • See Provision New Users on Device Login and Automated Device Enrollment to learn more. 

Deleting the IdP

To delete the IdP:

1. From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
2. At the bottom of the IdP Configuration page, under Delete Identity Provider, click Delete IdP. 
3. You’ll be prompted to confirm your deletion, then click Yes, Delete. 

Additional Resources:

Walk through a guided simulation for Configuring Google Workspace as an Identity Provider