In addition to the JumpCloud Google Workspace Cloud Directory Integration (which enables the provisioning and synchronization of your Google Workspace users from JumpCloud), you can also choose to configure the Google Workspace SAML SSO Connector.
The Google Workspace connector provides users with single sign on (SSO) capabilities. They are redirected to the JumpCloud login screen enabling them to log into Google Workspace with their JumpCloud credentials. Using JumpCloud SSO with Google Workspace not only passes user authentication responsibilities to JumpCloud, it also allows the option to enforce JumpCloud MFA for authentication and the ability to enforce Conditional Access Policies.
Read this article to learn how to set up Google Workspace SSO.
Read the SAML Configuration Notes before you start configuring this connector.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO à la carte option
- In order to successfully complete the integration between JumpCloud and Google, you must have administrative rights to access configuration in your Google Workspace account
- Google Workspace subscription for Enterprise, Business, or Education
Important Considerations
- Non-profit or Standard (Free legacy) editions do not support SAML
- When a Google Super Admin tries to sign in to an SSO-enabled domain via admin.google.com, they will not be redirected to JumpCloud for authentication, but rather will be prompted for their full Google email address and associated password
- Read Google’s full documentation on SSO-enabled domain redirects for Super Admins.
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Navigate to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type Google Workspace in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, and choose to hide or Show in User Portal.
- Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<application display label>.
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section.
- Close to configure your new application at a later time.
Configuring the SSO Integration
Google Workspace allows mixed SSO policies through the use of SSO profiles. This is also called Partial SSO and gives you the flexibility to specify the authentication authority (JumpCloud or Google) for subsets of users in your organization, like vendors or contractors.
To configure Google SSO Profile(s)
Google's SSO profiles provide flexibility to include or exclude specific user groups or organizational units (OUs) from SSO through assignments within your Google Workspace environment. There are two types of SSO profiles;
SSO Profile | Automatically enables SSO for all users | Assignments required to EXCLUDE from SSO | Assignments required to INCLUDE in SSO |
---|---|---|---|
Organization-wide Third Party | |||
Individual Third Party |
For more information, please reference Decide which users should use SSO.
Configuring an Organization-wide Third Party SSO Profile
This configuration will enable SSO for all Google Workspace users (except super admins). All Google Workspace users (except super admins) will be forwarded to JumpCloud for authentication.
Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profile for your organization to configure an organization-wide third party SSO profile.
Excluding users from an Organization-wide Third Party SSO Profile
Using SSO Profile assignments within Google Workspace, users can be excluded from the Organization-wide Third Party SSO Profile meaning they will sign directly into Google. To exclude users or groups/OUs from this SSO profile, navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.
Configuring an Individual Third Party SSO Profile
This configuration will allow you to enable SSO for a subset of Google Workspace users (except super admins). Only Google Workspace users (except super admins) assigned to this profile will authenticate with JumpCloud.
Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles to create a third-party SSO profile.
Assigning users to an Individual Third Party SSO Profile
Using SSO Profile assignments, users can be included (except super admins as mentioned above) in the Individual Third Party SSO Profile and be forwarded to JumpCloud for authentication. To include users or groups/OUs in this SSO profile, navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.
Google supports up to 1000 different Individual Third Party SSO profiles.
To configure JumpCloud
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- Replace any instances of YOURDOMAIN with your Google Workspace domain name.
- Add any additional attributes.
- Copy the JumpCloud IDP URL for the next section.
- Click save.
Download the certificate
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click IDP Certificate Valid > Download certificate.
The certificate.pem will download to your local Downloads folder.
To configure Google
- Log in to the Google Admin Console.
- Select Security > Authentication > SSO with third party IdP.
- After selecting the appropriate profile, enter the following information:
- Sign-in page URL - enter the JumpCloud IDP URL.
- Sign-out page URL - enter https://console.jumpcloud.com.
- Upload certificate - browse to and select the certificate downloaded in the previous section.
- (Optional) Change password URL - enter https://console.jumpcloud.com.
If you enter a Change password URL, users will be directed to that page even if you don’t enable SSO for your organization.
- Click Save.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the JumpCloud User Console
- Go to Applications and click an application tile to launch it
- JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
Removing the SSO Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the SSO Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.