cancel
Showing results for 
Search instead for 
Did you mean: 

Setup JC SSO with Google Workspace - on specific GWS OU(s) or Groups

shawnsong
Rising Star III
Rising Star III

Users will have a consistent, streamlined login experience. To mitigate the user experience friction of JC <> GWS directory integration - where user is allowed to change the GWS' pw separately.

Use Cases
Scenario A - User has ONLY GWS account.

  • There are OUs / Groups are NOT entitled corp devices, and the account is NOT managed in JC (to save the license cost):
    • Contractors, external consultants whom have limited access to corp app / data.
    • They are using GWS mainly via Chrome (managed) on any devices.

Scenario B - User has both GWS and JC accounts.

  • I.e. full time employee’s accounts are managed by JC, as well as their devices.
    • User passwords are:
    • Managed by JC.
    • MFA on JC.
    • When users trying to change their password on GWS, will be redirected to JC.

Overview diagram

GWS __ JC use case.jpeg

How to set it up

  1. Setup SSO with GWS in your JC tenant, follow the steps here.
  2. You can find the YOURDOMAIN on GWS, by going to Account → Domains → Manage Domains, use the one with type Primary Domain .
  3. Once done and saved, flip to GWS admin console to continue the steps.
  4. Make sure the Entity ID and ACS URL values in the SAML profile you created are copied back to JC’s SSO setting:1.jpg
  5. And assign the SAML profile to the desired OUs.2.jpg

     
  6. Or assign to the desired groups. image-20221126-040335.png

  7. Done.

Note: For the SSO connectors setup on GWS - User accesses will remain intact if JC SSO is enabled on their OUs / Groups.

[Update 08-08-2023] 

Important: When super admins logging in after applied the SAML profile, they will NOT be directed to JumpCloud for SSO sign-in according to this KB. Please validate the SSO flow by using a regular user account. 

Reference links (Google):

Set up SSO for your organization - Google Workspace Admin Help

Single Sign On (SSO) with Google Workspace

Pre-integrated SAML apps catalog - Google Workspace Admin Help

Amazon Web Services cloud application - Google Workspace Admin Help

1 ACCEPTED SOLUTION

So I might have figured this out.  It seems to not work for me and another super admin that's in the test group and OU.  However it does work for other non-admins that I have in the group.

View solution in original post

14 REPLIES 14

jaggrey
Novitiate III

Can this process be used to have only certain users use JumpCloud as their IdP for SSO?  I set up everything according to this however I can't get it to actually work - I'm sure I'm missing something but I'm not sure what.

Hi Jaggrey,

Yes, you can apply the SAML profile to any group/OU of users, you may move the desired users into a designated group/OU and link the SAML profile to it. what error do you get?

Hey shawnsong,

I'm not getting any error message.  Google just continues to prompt and authenticate instead of redirecting to JumpCloud.

Would you mind sharing your GWS/JC SSO settings with us, applying necessary obfuscations, of course? Completely understand that certain information may not be suitable for disclosure in this public forum. If that's the case, I would recommend reaching out directly to our support team, who will be more than happy to assist you in a private and secure manner to resolve this issue.

Sure what settings do you need to see?  I also opened a ticket yesterday about this and referenced this link.

image (7).png

image (8).png

  

image (9).png

thanks Jaggrey, that's helpful. It looks like the SAML has been created, have you assigned it to a OU or group as suggested in step 5&6? and try to move an existing user to that ou/group and make sure that user is imported/created in JC, then try login again. 

Yes I have it assigned to a group and to an OU and I'm a part of both.  However when I go to Gmail and type in my email address to login, it just asks me for a password instead of redirecting to JumpCloud.

So I might have figured this out.  It seems to not work for me and another super admin that's in the test group and OU.  However it does work for other non-admins that I have in the group.

oh yes, good catch! i'll update my post with your findings, thanks for the feedback! and it's briefly mentioned in this KB. 

jaggrey
Novitiate III

I have another question around this.  When users go to Google initially and type in their email address, they're redirected to JumpCloud, which is correct.  However they're prompted again by JumpCloud to enter their email address.  Is that normal behavior?  Is there any way for Google to pass the email address to JumpCloud so that they don't have to enter it twice?

Yeah, it happens when SP initiated login basically on other apps too. Usually from my own experience, you can tweak the session on GWS to be a bit longer for re-auth (i.e. 14 days) so as long as the user has a login with JC in any given time, the re-auth wont happen too often. 

alanraison
Novitiate I

I have been experimenting with this setup too. I would like to be able to provision JumpCloud users in a specific OU in Google Workspace, so that they get the JumpCloud SSO experience automatically, but it doesn't seem to be possible to set the "orgUnitPath" property of a user from the Google Workspace Cloud Directory integration. Can I raise this as a feature request?

BScott
Community Manager Community Manager
Community Manager

@alanraison of course! You can raise anything as a feature request. If / when it happens will depend on several things, but you are more than welcome to submit something.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.