SSO with Google Workspace

The JumpCloud Google Workspace Single Sign-On (SSO) integration empowers you to centralize user access and enhance security. By enabling SSO, you simplify access for your end-users, allowing them to securely log in to Google Workspace using their JumpCloud credentials. This integration also allows you to enforce critical security controls, including JumpCloud's Multi-Factor Authentication (MFA) and Conditional Access Policies.

Pairing this with the Google Workspace Cloud Directory Integration provides full identity provisioning and synchronization, streamlining IT user management.

Read this article to learn how to set up Google Workspace SSO.

Prerequisites

• A JumpCloud administrator account
• JumpCloud SSO Package or higher or SSO à la carte option
• In order to successfully complete the integration between JumpCloud and Google, you must have administrative rights to access configuration in your Google Workspace account
• Google Workspace subscription for Enterprise, Business, or Education

Important Considerations

• Non-profit or Standard (Free legacy) editions do not support SAML
• When a Google Super Admin tries to sign in to an SSO-enabled domain via admin.google.com, they will not be redirected to JumpCloud for authentication, but rather will be prompted for their full Google email address and associated password:
  • Read Google’s full documentation on SSO-enabled domain redirects for Super Admins

Creating a new JumpCloud Application Integration

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications.
3. Click + Add New Application.
4. Type Google Workspace in the Search field and select it.
5. Click Next.
6. In the Display Label, type your name for the application. Optionally, you can enter a Description, and choose to hide or Show in User Portal.
7. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<application display label>.

8. Click Save Application.
9. If successful, click:
   • Configure Application and go to the next section
   • Close to configure your new application at a later time

Configuring a SAML SSO Integration

To configure JumpCloud Part 1

If you are continuing from the Add New Application flow above, skip to step 3.

1. Create a new application or select it from the Configured Applications list.
2. Select the SSO tab.
3. Replace YOURDOMAIN with your Google Workspace domain name in the IdP Entity ID.
4. Skip updating the SP Entity ID and ACS URL, those will be updated after you configure Google.
5. Add any additional attributes.
6. Click Save.
7. Leave the configuration open, so you can copy values to the Google Workspace configuration

Download the certificate

1. If you closed the application, find it in the Configured Applications list and click anywhere in the row to reopen its configuration window.
2. Click Actions > Download Certificate.

To configure Google

Google Workspace gives you the flexibility to enforce SSO for your entire organization, an organizational unit (OU), specific groups or users.

1. Log in to the Google Admin Console.
2. Navigate to Security > Authentication > SSO with third party IP.
3. Select Add SAML Profile and enter the SSO profile name.
4. Enter the following information:
   • IDP entity ID - copy and paste the JumpCloud IdP Entity ID
   • Sign-in page URL - copy and paste the JumpCloud IDP URL
   • Sign-out page URL - enter https://console.jumpcloud.com
   • Upload certificate - browse to and select the certificate downloaded in the previous section
5. Click Save.
6. Leave this configuration open, so you can copy values to the JumpCloud configuration.

To configure JumpCloud Part 2

1. Update the following information in the JumpCloud Configuration:
   • SP Entity ID- copy and paste the Entity ID from the SP details in the Google configuration
   • ACS URLs - copy and paste the ACS URL from the SP details in the Google configuration
2. Click Save.

To assign Google SSO Profile(s)

Google's SSO profiles provide flexibility to include or exclude specific user groups or organizational units (OUs) from SSO through assignments within your Google Workspace environment.

1. To specify which users, groups, or OUs will use this SSO profile, navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.
2. Select the OU, group, or use to which you want the SSO profile to be enforced.
3. Click Save.
4. To remove SSO, select None from the dropdown.

Disabling Google Workspace non-Admin User Password Recovery

To ensure an appropriate user workflow for password resets, Google allows for completely disabling non-admin user password recovery through the dashboard configuration. 

To disable non-admin password recovery

1. Log in to Google as an administrator from your tenant.
2. Go to Security > Account recovery.
3. Click User account recovery.
4. Deselect the Allow users and non-super admins to recover their account option.
5. Click Save.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Applications, Users List or User Groups page. 

To authorize user access from the Application’s page

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
4. Select the check box next to the desired group of users to which you want to give access.
5. Click Save. 

To learn how to authorize user access from the Users or User Groups pages, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

• Access the JumpCloud User Console
• Go to Applications and click an application tile to launch it
• JumpCloud asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

• Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

• Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
• After the user is logged in successfully, they are redirected back to the SP and automatically logged in

Removing the SSO Integration

To deactivate the SSO Integration

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you’d like to deactivate and click to open its details panel. 
4. Select the SSO tab.
5. Scroll to the bottom of the configuration.
6. Click Deactivate SSO. 
7. Click save. 
8. If successful, you will receive a confirmation message.

To delete the application

1. Log in to the JumpCloud Admin Portal.
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you’d like to delete.
4. Check the box next to the application to select it.
5. Click Delete.
6. Enter the number of the applications you are deleting
7. Click Delete Application.
8. If successful, you will see an application deletion confirmation notification.

Troubleshooting