Users will have a consistent, streamlined login experience. To mitigate the user experience friction of JC <> GWS directory integration - where user is allowed to change the GWS' pw separately.
Scenario A - User has ONLY GWS account.
Scenario B - User has both GWS and JC accounts.
How to set it up
And assign the SAML profile to the desired OUs.
Or assign to the desired groups.
Note: For the SSO connectors setup on GWS - User accesses will remain intact if JC SSO is enabled on their OUs / Groups.
Important: When super admins logging in after applied the SAML profile, they will NOT be directed to JumpCloud for SSO sign-in according to this KB. Please validate the SSO flow by using a regular user account.
Reference links (Google):
Solved! Go to Solution.
Can this process be used to have only certain users use JumpCloud as their IdP for SSO? I set up everything according to this however I can't get it to actually work - I'm sure I'm missing something but I'm not sure what.
Would you mind sharing your GWS/JC SSO settings with us, applying necessary obfuscations, of course? Completely understand that certain information may not be suitable for disclosure in this public forum. If that's the case, I would recommend reaching out directly to our support team, who will be more than happy to assist you in a private and secure manner to resolve this issue.
thanks Jaggrey, that's helpful. It looks like the SAML has been created, have you assigned it to a OU or group as suggested in step 5&6? and try to move an existing user to that ou/group and make sure that user is imported/created in JC, then try login again.
Yes I have it assigned to a group and to an OU and I'm a part of both. However when I go to Gmail and type in my email address to login, it just asks me for a password instead of redirecting to JumpCloud.
I have another question around this. When users go to Google initially and type in their email address, they're redirected to JumpCloud, which is correct. However they're prompted again by JumpCloud to enter their email address. Is that normal behavior? Is there any way for Google to pass the email address to JumpCloud so that they don't have to enter it twice?
Yeah, it happens when SP initiated login basically on other apps too. Usually from my own experience, you can tweak the session on GWS to be a bit longer for re-auth (i.e. 14 days) so as long as the user has a login with JC in any given time, the re-auth wont happen too often.
I have been experimenting with this setup too. I would like to be able to provision JumpCloud users in a specific OU in Google Workspace, so that they get the JumpCloud SSO experience automatically, but it doesn't seem to be possible to set the "orgUnitPath" property of a user from the Google Workspace Cloud Directory integration. Can I raise this as a feature request?