SSO with Google Workspace

In addition to the JumpCloud Google Workspace Cloud Directory Integration (which enables the provisioning and synchronization of your Google Workspace users from JumpCloud), you can also choose to configure the Google Workspace SAML SSO Connector.

The Google Workspace connector provides users with single sign on (SSO) capabilities. They are redirected to the JumpCloud login screen enabling them to log into Google Workspace with their JumpCloud credentials. Using JumpCloud SSO with Google Workspace not only passes user authentication responsibilities to JumpCloud, it also allows the option to enforce JumpCloud MFA for authentication and the ability to enforce Conditional Access Policies.

Read this article to learn how to set up Google Workspace SSO.

Prerequisites

• A JumpCloud administrator account
• JumpCloud SSO Package or higher or SSO à la carte option
• In order to successfully complete the integration between JumpCloud and Google, you must have administrative rights to access configuration in your Google Workspace account
• Google Workspace subscription for Enterprise, Business, or Education

Important Considerations

• Non-profit or Standard (Free legacy) editions do not support SAML
• Google is advising migrating any existing Organization-wide SSO profiles, now called Legacy SSO profiles, to Third-party SSO profiles. See Migrating from legacy SSO to SSO profiles for more information
  • If migrating from Legacy SSO Profiles, you must update the SP details in your JumpCloud connector (SP Entity ID and ACS URLs)
• When a Google Super Admin tries to sign in to an SSO-enabled domain via admin.google.com, they will not be redirected to JumpCloud for authentication, but rather will be prompted for their full Google email address and associated password
  • Read Google’s full documentation on SSO-enabled domain redirects for Super Admins.

Creating a new JumpCloud Application Integration

1. Log in to the JumpCloud Admin Portal.
2. Navigate to USER AUTHENTICATION > SSO Applications.
3. Click + Add New Application.
4. Type Google Workspace in the Search field and select it.
5. Click Next.
6. In the Display Label, type your name for the application. Optionally, you can enter a Description, and choose to hide or Show in User Portal.
7. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<application display label>.

8. Click Save Application.
9. If successful, click:
   • Configure Application and go to the next section.
   • Close to configure your new application at a later time.

Configuring the SSO Integration

Google Workspace allows mixed SSO policies through the use of SSO profiles. This is also called Partial SSO and gives you the flexibility to specify the authentication authority (JumpCloud or Google) for subsets of users in your organization, like vendors or contractors.

To configure Google SSO Profile(s)

Google's SSO profiles provide flexibility to include or exclude specific user groups or organizational units (OUs) from SSO through assignments within your Google Workspace environment. There are two types of SSO profiles;

Configuring a legacy SSO profile

This configuration will enable SSO for all Google Workspace users (except super admins). All Google Workspace users (except super admins) will be forwarded to JumpCloud for authentication.

Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles for your organization to configure a legacy SSO profile.

Excluding users from a Legacy SSO Profile

Using SSO Profile assignments within Google Workspace, users can be excluded from the Legacy SSO Profile meaning they will sign directly into Google. To exclude users or groups/OUs from this SSO profile, navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.

Configuring a third-party SSO profile

This configuration allows you to assign SSO profiles to Google Workspace organization units or groups (except super admins). Only Google Workspace users (except super admins) assigned to the JumpCloud SSO profile will authenticate with JumpCloud.

Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles to create a third-party SSO profile.

To assign users to a Third Party SSO Profile

Using SSO Profile assignments, users can be included (except super admins as mentioned above) in the Third Party SSO Profile and be forwarded to JumpCloud for authentication. To include users or groups/OUs in this SSO profile, navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.

To configure JumpCloud

1. Create a new application or select it from the Configured Applications list.
2. Select the SSO tab.
3. Replace any instances of YOURDOMAIN with your Google Workspace domain name.
4. Add any additional attributes.
5. Copy the JumpCloud IDP URL for the next section.
6. Click save.

Download the certificate

1. Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
2. Select the SSO tab and click IDP Certificate Valid > Download certificate.

To configure Google

1. Log in to the Google Admin Console.
2. Select Security > Authentication > SSO with third party IdP.
3. After selecting the appropriate profile, enter the following information:
   • Sign-in page URL - enter the JumpCloud IDP URL.
   • Sign-out page URL - enter https://console.jumpcloud.com.
   • Upload certificate - browse to and select the certificate downloaded in the previous section.
   • (Optional) Change password URL - enter https://console.jumpcloud.com/userconsole#/security

4. Click Save.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
4. Select the check box next to the group of users you want to give access.
5. Click save. 

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

• Access the JumpCloud User Console
• Go to Applications and click an application tile to launch it
• JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

• Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

• Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
• After the user is logged in successfully, they are redirected back to the SP and automatically logged in

Removing the SSO Integration

To deactivate the SSO Integration

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you’d like to deactivate and click to open its details panel. 
4. Select the SSO tab.
5. Scroll to the bottom of the configuration.
6. Click Deactivate SSO. 
7. Click save. 
8. If successful, you will receive a confirmation message.

To delete the application

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you’d like to delete.
4. Check the box next to the application to select it.
5. Click Delete.
6. Enter the number of the applications you are deleting
7. Click Delete Application.
8. If successful, you will see an application deletion confirmation notification.

Troubleshooting