Get Started: Google Workspace Integration

The Google Workspace Integration allows for secure and consistent connectivity between JumpCloud and Google Workspace. The integration allows an IT Admin to manually provision new user accounts, schedule imports of new users and updates, and continuously synchronize specified user attributes from JumpCloud to Google or from Google to JumpCloud. In addition, admins can manage distribution groups in Google Workspace from JumpCloud.

Integrating Google Workspace with JumpCloud

You can integrate Google Workspace and JumpCloud in two different integration scenarios that offer the same benefits. To start configuring the integration, ensure you have reviewed the prerequisites and important considerations.

User Integration Scenarios

1. JumpCloud manages user identities:
   • JumpCloud takes over existing Google Workspace accounts 
   • JumpCloud provisions new Google Workspace accounts
2. Google manages user identities:
   • Google Workspace takes over JumpCloud accounts
   • Google Workspace provisions new JumpCloud accounts

Benefits

• Secure, persistent connectivity between JumpCloud and Google Workspace
• A convenient way to import pre-existing Google accounts into JumpCloud
• Automatic provisioning of new JumpCloud accounts into Google Workspace
• Continual user attribute synchronization from JumpCloud to Google accounts
• Accessible self-service account management for your end users
• Simplified login experience:
  • Create a login experience similar to SSO where users log in to JumpCloud and Google Workspace using the same set of credentials
  • Combine this integration with an SSO integration, or IdP configuration, to allow for federated user logins to either system

Prerequisites

• A JumpCloud administrator account
• JumpCloud Device Package or higher
• An active Google Workspace directory
  • Google Workspace directories can contain multiple domains
• A Google Workspace Domain Admin / Google Super Admin account
• One of the following supported licenses:
  • Google Workspace Business edition
  • Google Workspace Education edition
  • Google Workspace Enterprise edition
  • Legacy G Suite Business
  • Legacy G Suite Basic
    • This license requires a valid payment source for user additions
    • Ensure that you validate the billing contact
    • Pending actions need to be completed for password sync to function properly

Considerations

• Don’t add a Google Workspace directory more than once in JumpCloud. If you authorize sync for the same Google Workspace directory more than once, users that are connected to multiple instances of the same Google Workspace directory in JumpCloud could be suspended if you remove them from one of the instances. You can avoid this by deactivating the sync for duplicate Google Workspace directories
• Synchronization occurs by matching the user’s JumpCloud email address with the Google Workspace primary email address or any of a user’s Google Workspace alias email addresses
• Some user attributes are always synced with Google Workspace. Admins should also review and choose additional user attributes prior to importing/exporting users via the integration. See Configure the Google Workspace Integration
• If you are syncing user data from JumpCloud to Google, we recommend that you change user emails in the JumpCloud Admin Portal
• If you change the email domain in JumpCloud for a linked account to a domain outside of the synced Google Workspace directory, you could cause the user information to stop syncing unless you have configured a list of domains and specified one to use as the default for the integration. See Maintain the Google Workspace Integration
• Most changes users make to their personal attributes in the User Portal will sync to Google Workspace if those attributes are set to sync on export. See Configure the Google Workspace Integration
• Regardless of the user state or Password Configurations security settings in JumpCloud, users must be unbound from the Google Workspace Cloud Directory Integration in JumpCloud directory to guarantee that JumpCloud will stop syncing (exporting) information for that user to Google

• Users should be unbound from your Google Workspace Cloud Directory Integration in JumpCloud before they are deleted in Google. This prevents the user being recreated on the next sync from JumpCloud

Google Workspace Integration Configuration Workflow

1. Prepare for the Google Workspace Integration
   • Review considerations and complete prerequisites
   • Add a new Google Workspace Cloud Directory Integration
     • Authorize the Google Workspace Sync
     • Grant access to the Google Super Admin Account
2. Configure the Google Workspace Integration
   • Configure User Attributes
   • Configure User Password Settings
   • Configure Google Workspace Group(s) Management
   • Configure domains
3. Use the Google Workspace Integration
   • Import Users
     • manually
     • automatically
   • Associate users
4. Maintain the Google Workspace Integration
   • Rename the directory
   • Disable Group Management
   • Manage domains
   • Reactivate sync
   • Deactivate sync

Google Workspace Integration Scenarios

Taking Over Existing Google Workspace Accounts

When you import existing Google Workspace users into JumpCloud and assign them to a Google Workspace Cloud Directory Sync integration instance you’ve activated, JumpCloud "takes over" management of those accounts, including being the password authority. JumpCloud will match the account based on the  email address sent as the PrimaryEmail value for the user. Once JumpCloud takes over the account, it will sync all attributes set to “Export” on the Google integration.  See Configure the Google Workspace Integration.

Provisioning New Google Workspace Accounts

User account provisioning involves creating and maintaining users and their attributes. New Google Workspace accounts can be provisioned in Google Workspace or JumpCloud.

Google Workspace–initiated Provisioning

When a user account is created in the Google Admin console, a temporary password can be sent to an alternate email address, which lets users gain access to their account. When you create a user account in Google Workspace, users are provisioned in JumpCloud the following way:

1. Import the user into JumpCloud.
2. Associate the user to the Google Workspace directory in which the user was created.
3. Once the user sets their password in the JumpCloud User Portal, the account synchronization will begin.

JumpCloud-initiated Provisioning

When creating a user account in JumpCloud, a user can be given access to their account in two ways. An activation email can be sent to an alternate email address upon activation. Admins can also set a temporary password during account creation.

To send an activation email to an alternate email address via user access to Google Workspace

1. Add the new user to JumpCloud.
   • Associate the user to the Google Workspace directory.
   • In the user’s Details tab, navigate to User Security Settings and Permissions > Password Settings and ensure Specify initial password box is unchecked.

2. Save the user.
3. Depending on the user state the user was created in, the flow will vary. To learn more about user states, see Manage User States:
   • Staged – the user is not notified of the account creation. When you change their user state to ‘Active’, you will be asked if you want to send the user an Activation email that tells them how to register their account. You will also be given an option to specify to which email address to send the activation email.
   • Active – you will be asked if you want to send the user an Activation email that tells them how to register their account. You will also be given an option to specify to which email address to send the activation email.

4. The user will click the link in the activation email and set their password.

5. After the user registers their account, creates an account password, and logs in to their JumpCloud User Portal, synchronization of their password and all attributes set to ‘export’ will be begin.

To set a temporary password during creation

1. Add the new user to JumpCloud.
2. Associate the user to the Google Workspace directory either directly by selecting the Google Workspace directory from the Directories tab or adding the user to a user group that has access to the Google Workspace directory from the User Groups tab.
3. Enable Specify initial password and set a temporary password. 
4. It is strongly encouraged to select Force user to set their own password at first login.

5. Save the user.
6. Depending on the user state the user was created in, the flow will vary. To learn more about user states, see Manage User States:
   • Staged – the user is not notified of the account creation. When you change their user state to ‘Active’, you will be asked if you want to send the user a Welcome email that tells them to contact their IT admin to receive the password. You will also be given an option to specify to which email address to send the welcome email.
   • Active – you will be asked if you want to send the user an Welcome email that tells them to contact their IT admin to receive the password. You will also be given an option to specify to which email address to send the welcome email.
7. Securely provide the temporary password that was initially set.
8. Once the user logs in to the JumpCloud User Portal and sets their password, synchronization of their password and all attributes set to Export will begin.

Authorizing the Google Workspace Integration

To integrate Google Workspace and JumpCloud, you start by authorizing the sync from the JumpCloud Admin Portal and granting access to the Google Super Admin Account in Google. This step applies to all user integration scenarios.

Considerations

• The Google Workspace Directory integration will stay authorized indefinitely if the following conditions are met:
  • The administrator that authorized the integration continues to exist in both JumpCloud and Google Workspace
  • The integration has been utilized (via an import or export) in the past six months
• If either of the above conditions aren’t met, the integration will need to be reauthorized

To authorize the Google Workspace Sync

1. Log in to the JumpCloud Admin Portal.
2. Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
3. Click ( + ). 
4. Select Google Workspace. 
   
5. Give the Google Workspace directory instance a unique name.​​

6. Click authorize sync.
7. Select your admin account then click Allow.
8. If you have already granted access to the Google Super Admin account, move to the next document in this series Configure the Google Workspace Integration.

To grant access to the Google Super Admin Account

After you authorize Google Workspace sync, you need to grant access to the Google Super Admin account. This is a Google best practice and needed for providing a single set of identity management controls across all Google services, including Cloud Identity.

1. Log in to Google using a Super Administrator account.
2. Click Allow.

Next Steps

Ready to Configure?

Check out the next article in this document series, Configure the Google Workspace Integration, to choose user attributes you want to import, export or exclude between JumpCloud and Google.

Want additional assistance from JumpCloud? 

If you’re having issues with getting JumpCloud’s Google Workspace Integration working, try Troubleshoot: Google Workspace Integration.

JumpCloud now offers myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with your Google Workspace Integration, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.