Subscribe to Help Center RSS FeedThe next step in creating a secure and consistent connection between JumpCloud and Google Workspace is configuring the integration. You can control the user data that syncs, which platform should be the source (JumpCloud or Google), whether distribution groups are managed from JumpCloud, the email domains that are allowed to sync, and if there is a default domain that should be used.
Prerequisites
- A JumpCloud administrator account
- JumpCloud Device Package or higher
- An authorized and active Google Workspace instance
- A user account with Google Super Admin access
- You have read through the considerations in Get Started: Google Workspace Integration
Attribute Considerations
- The JumpCloud owned attributes (email, firstname, lastname) are required by Google and bidirectionally sync
- Optional attributes sync one way:
- Attributes set to Import will not be exported from JumpCloud to Google Workspace
- Attributes set to Export will not be imported from Google Workspace to JumpCloud
- Attributes set to Exclude will not be imported or exported
- Different attributes in the sync can be set to Import or Export, e.g., you can set password to Export and costCenter to Import in the same sync
- The default setting for optional attributes, except user state and password, is Exclude
- The default setting for the user state and password attributes is Export
- The password and manager attributes can only be set to Export or Exclude
- Address attributes – both the JumpCloud and Google Workspace APIs allow multiple addresses for a given type. On export, existing Google Workspace addresses for a given type will be replaced with JumpCloud addresses of that type
Configure User Attributes
After you've authorized the Google Workspace instance in JumpCloud, choose the user attributes you want to import, export or exclude. This functionality allows you to centralize the management of these users.
If no attributes are selected, i.e., all optional attributes are set to Exclude, only the JumpCloud owned attributes will sync.
Attribute Data Flow
How does attribute data flow between Google Workspace and JumpCloud after integration?
- When you import a user from Google Workspace – if data exists for a user’s attributes in Google Workspace when they are imported, data is written to the equivalent user attributes in JumpCloud
- Importation of these attributes must be done before the user exists in JumpCloud
- When you connect that user to Google Workspace in JumpCloud – attributes in Google Workspace are automatically overwritten with data from JumpCloud for the attributes set to Export. Further, any subsequent changes made to the user’s attributes in JumpCloud are automatically pushed to the corresponding attributes in Google Workspace
Custom user attributes aren't supported at this time. You may use the existing attributes for something other than their stated purpose as a short term workaround.
User Attribute Import
First name, Last name, and Company email will always be imported from Google Workspace. With the exception of user state and manager, you can choose the optional user attributes that you would like to import from Google Workspace for new users and updates. Your chosen attributes will be mapped from Google Workspace to the corresponding JumpCloud attribute.
User Attribute Export
First name, Last name, and Company email will always be exported to Google Workspace. You can choose the optional user attributes you would like to export to Google Workspace. Your chosen attributes will be mapped from JumpCloud to the corresponding Google attribute. If you choose to stop exporting data for an attribute, it is no longer synced with Google Workspace. Subsequent changes made to that attribute in JumpCloud aren't exported to Google Workspace.
Take caution when selecting attributes to export. After you select an attribute to export to Google Workspace, it is immediately overwritten with data from JumpCloud for all Google Workspace users managed by JumpCloud, and you could potentially lose data stored for that attribute in Google Workspace.
User Attributes
Required attributes
These attributes are “JumpCloud owned” and always imported from Google Workspace to JumpCloud, and exported from JumpCloud to Google Workspace for bound users:
- firstname
- lastname
Optional attributes
Attributes that can only be optionally exported to Google Workspace:
- password *
- manager
Attributes that can optionally be exported to or imported from Google Workspace:
- user state *
- addresses (home)
- addresses (work)
- alternate email
- costCenter
- department
- employeeIdentifier
- employeeType
- jobTitle
- phoneNumbers (home)
- phoneNumbers (mobile)
- phoneNumbers (work)
- phoneNumbers (work_fax)
- phoneNumbers (work_mobile)
(*see Impact of the user state and password settings for additional considerations when making selections for these attributes)
API Attribute Name Table
The following table outlines how attribute data is exported from JumpCloud’s API and UI to Google Workspace's API and UI. The attribute listed in the JumpCloud API Attribute Name column is synced to the attribute listed in the Google Workspace API Attribute Name column. The attribute listed in the JumpCloud UI Attribute Name column is synced to the attribute listed in the Google Workspace UI Attribute Name column. See our API documentation for more information.
|
JumpCloud API Attribute Name |
Google Workspace API Attribute Name |
JumpCloud UI Attribute Name |
Google Workspace UI Attribute Name |
|
|---|---|---|---|---|
| firstname | name.firstName | First Name | First name | |
| lastname | name.lastName | Last Name | Last name | |
| password | password | Password | Password | JumpCloud will push a password write to GWS upon every login to the JumpCloud User Portal. See Manage Passwords in External Directories from JumpCloud (Password Takeover). |
| primaryEmail | Company Email | Primary email | The domain of the email address may be modified based on the Domains configuration for the Google Workspace Cloud Directory Sync integration. See Configure domains. | |
| state | status | User State | status | |
| password | password | Password | Password | |
| alternateEmail | emails | Alternate Email | Secondary Email | |
| jobTitle | organization.title | Job Title | Job title | |
| employeeIdentifier | externalId.value | Employee ID | Employee ID | |
| department | organization.department | Department | Department | |
| costCenter | organization.costCenter | Cost Center | Cost center | |
| addresses.type addresses.poBox addresses.extendedAddresses addresses.locality addresses.region addresses.postalCode | addresses.formatted | Work Address | Address (Work) |
Export: Addresses are exported as a single, formatted value that includes all of the address values listed in the JumpCloud API Attribute Name column. Import: JumpCloud will import from Work Address into the structured address fields. The preferred address format is: {House number} {Street name} {City} {State} {Country code} Ex: 101 Main Street Denver Colorado 80202 US |
| Home Address | Address (Home) |
Export: Addresses are exported as a single, formatted value that includes all of the address values listed in the JumpCloud API Attribute Name column. JumpCloud will overwrite Google’s Home Address field with a concatenated string from JumpCloud’s structured address fields. Import: JumpCloud will import from Home Address and Work Address into the structured address fields. The preferred address format is: {House number} {Street name} {City} {State} {Country code} Ex: 101 Main Street Denver Colorado 80202 US This field contains a drop-down type field. Note about address attributes: Both the JumpCloud and Google Workspace APIs allow multiple addresses for a given type. On export, existing Google Workspace addresses for a given type are replaced with JumpCloud addresses of that type. |
||
| phoneNumbers.type phoneNumbers.number | phones.type phones.value | Work Fax | - |
Data exported for this attribute is viewable only in the Google Workspace API. |
| Work Cell | - |
Data exported for this attribute is viewable only in the Google Workspace API. |
||
| Home Phone | Phone (Home) | |||
| Personal Cell | Phone (Mobile) | |||
| manager | relation(s) | Manager | Manager's Email |
Google Workspace stores the Manager’s email in the relations array with a type of “manager”. Manager is a relational attribute in JumpCloud, meaning we use the unique ID of the Manager.
Export: JumpCloud will add the Manager’s email to relations. JumpCloud will add the Manager’s email address to the “Manager’s email” field. |
To select attributes to export or import
- Log in to the JumpCloud Admin Portal.
- Go to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory you want to select user attributes for.
- In the Attribute mapping and settings section, select the non-default user attributes you want to import or export with Google Workspace.
You can't clear default user attributes.
- Click Save.
If you want user attributes to sync (export) from JumpCloud to Google Workspace, connect JumpCloud users to Google Workspace.
Directory Insights Events
Anytime you change the direction of an attribute, a Directory Insights event is generated. Previously, these events were:
- translationrule_create
- translationrule_delete
If you see an event with these names in your Directory Insights logs, they will roll off once your maximum retention period is exhausted. Going forward, the Directory Insights events generated from attribution selections are:
- integrationattribute_exclude
- Generated when an attribute is set to “Exclude”.
- Ex: You change the Department attribute from “Import” to “Exclude”
- Generated when an attribute is set to “Exclude”.
- integrationattribute_include
- Generated when an attribute is set to “Import” or “Export”.
- Ex: You change the Department attribute from “Exclude” to “Import”
- Ex: You change the Department attribute from “Import” to “Export”
- Generated when an attribute is set to “Import” or “Export”.
These events will capture attribute ownership/direction changes, including the admin that made the change, and the directory integration in which the change occurred.
Configure User Password Settings
In the Admin Portal, there are Password Configuration Settings that allow you to customize what happens to a user’s account in Google Workspace when their JumpCloud password gets locked out or expires. These settings are impacted by your selections for password and user state attributes in the Attribute mapping and settings section.
To access the Password Configurations settings
- Log in to the JumpCloud Admin Portal.
- Navigate to Settings > Security > Password Configurations > Google Workspace.
- Under your Google Workspace instance, select your desired options for Password Expiration and Account Lockout.
- After any changes are made, click Save.
Impact of the user state and password settings
The table below shows how the settings for password and user state attributes impact the the Password Configurations settings for password expiration and account lockout.
| Password attribute setting | User State setting | Default Password Expiration setting | Default Account Lockout setting | |||
| Maintain Users | Suspend Users | Remove Access | Maintain Users | Suspend Users | ||
| Exclude | Export, Import, or Exclude |
 |
|
|||
| Export | Export |
|
|
|||
| Import or Exclude |
|
|
||||
Configure Google Workspace Group(s) Management
The integration supports the creation and management of distribution groups in Google Workspace from JumpCloud. This functionality allows you to centralize the management of these groups and group memberships in JumpCloud.
Considerations
- After you enable group management, changes made to groups in JumpCloud are synced to distribution groups in Google Workspace. Changes only sync from JumpCloud to Google Workspace. Changes made to groups in Google Workspace aren’t synced to JumpCloud.
- If you disable group and membership management, no further changes will be made to distribution groups in Google Workspace. The groups will remain exactly as they were at the time the functionality was disabled.
- It can take some time for new groups to appear in the Google Groups directory. See Google’s Admin Help: New groups don’t show up in Groups directory.
To enable Google Workspace group management
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory you want to manage groups for.
- In the Google Workspace Sync section of the Details tab, select Enable management of groups and memberships in Google Workspace.
- Click Save.
- If you have not already granted the groups permission, you will be redirected to the Google Workspace authorization flow.
- Enter the email address for the Google Workspace admin account you are using for the integration if prompted.
- Enter the password for the Google Workspace admin account you are using for the integration if prompted.
- Click Allow.
After you enable group management for your Google Workspace directory sync integration in JumpCloud, you must add the email attribute for user groups bound to that Google Workspace directory. If you don't add an email address to these groups, users in bound groups could be suspended until one is added.
To specify Distribution Groups
Considerations
- If you remove a distribution group’s email address, the group and its memberships are no longer synced with Google Workspace.
- If you change a distribution group’s email address, the members of the group are moved to the distribution group of the email address you specify.
To specify a Google Workspace Distribution Group
Ensure that Enable management of groups and memberships in Google Workspace is enabled in your Google Workspace Integration.
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory to which you want to manage groups.
- Select the User Groups tab.
- In your desired group, add an email address in the Distribution Group Email field.
- Click Save.
When you associate JumpCloud user groups to a Google Workspace directory, users in those groups are added to those same distribution groups in Google Workspace. Distribution group membership, in addition to user attributes and passwords, will be synced. See Giving JumpCloud Users Access to Google Workspace to learn how to associate user groups to a Google Workspace Directory.
Configure domain(s)
Specify one or more domains as part of the integration configuration to have more granular control over which user accounts sync and how the translation rule for the email to User Principal Name (UPN) mapping is applied. There are three (3) possible configurations: no domains, a list of one or more domains but no default, and a list of one or more domains with one of those domains used as a default for the UPN translation rule. Each configuration is described in more detail below.
- If no domains are configured, the user’s company email is not checked and sent as is. The user syncs as long as their email domain matches one of the verified domains in the Google Workspace instance.
- If one or more domains is configured and the No default option is selected, the user’s company email is checked against the domains listed. Only users with matching email domains are synced.
- If one or more domains is configured and one of the domains is selected to Use as default, the user’s company email is checked against the domains listed.
- If the domain matches one of the domains in the list, the email address is sent as is.
- If the domain does not match one of the domains in the list, the email value sent as the Primary Email will be the username portion of the company email address and the default domain.
Examples of how domains are used by the integration.
| Domains Configuration | Source email(JumpCloud Company Email) | Sync results | Primary Email value sent to Google |
|---|---|---|---|
| No domains | [email protected] | Synced | [email protected] |
| [email protected] | Synced | [email protected] | |
| [email protected] | Sync failed | [email protected] | |
| Domains list = (mydomain.com, alternatedomain.com )&no default selected | [email protected] | Synced | [email protected] |
| [email protected] | Synced | [email protected] | |
| [email protected] | N/A - user skipped | N/A | |
| Domains list = (mydomain.com, alternatedomain.com )&mydomain.com selected to use as default | [email protected] | Synced | [email protected] |
| [email protected] | Synced | [email protected] | |
| [email protected] | Synced | [email protected] |
To add domains
- Log in to the JumpCloud Admin Portal.
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory instance.
- In the Google Workspace Domain(s) section, click +Add Domain.
- The first time you add a domain, you will be redirected to the authorization flow to approve the domains permission.
- If prompted, enter the email address for the Google Workspace admin account you want to use for the integration and the password for that account on the subsequent screen.
- Enter the password for that account if prompted.
If you enabled group management in this session, you will also see the group's permission in the list of permissions.
- Click Allow.
- You will be redirected back to the configuration page of for the Google Workspace integration
- Click the domain dropdown menu.
- Select one of the domains from the list.
The list is pulled dynamically from Google Workspace and only includes verified domains. The domain noted with (Primary), is the domain specified as the primary domain for that Google Workspace instance. That label is separate from the ‘Use as default’ option within the integration configuration in JumpCloud.
- Repeat steps 4-6 to add additional domains.
- Click Save.
To enable a default domain
- Log in to the JumpCloud Admin Portal.
- Navigate to DIRECTORY INTEGRATIONS > Cloud Directories.
- Select the Google Workspace directory instance.
- In the Google Workspace Domain(s) section, select the radio button next to one of the domains to use that domain for the PrimaryEmail translation rule (default domain).
- Click Save.
Step 1
In this Article
Learn More