11-25-2022 11:20 PM - edited 09-11-2023 09:12 PM
Users will have a consistent, streamlined login experience. To mitigate the user experience friction of JC <> GWS directory integration - where user is allowed to change the GWS' pw separately.
Use Cases
Scenario A - User has ONLY GWS account.
Scenario B - User has both GWS and JC accounts.
Overview diagram
How to set it up
And assign the SAML profile to the desired OUs.
Or assign to the desired groups.
Note: For the SSO connectors setup on GWS - User accesses will remain intact if JC SSO is enabled on their OUs / Groups.
[Update 08-08-2023]
Important: When super admins logging in after applied the SAML profile, they will NOT be directed to JumpCloud for SSO sign-in according to this KB. Please validate the SSO flow by using a regular user account.
Reference links (Google):
Set up SSO for your organization - Google Workspace Admin Help
Single Sign On (SSO) with Google Workspace
Pre-integrated SAML apps catalog - Google Workspace Admin Help
Amazon Web Services cloud application - Google Workspace Admin Help
Solved! Go to Solution.
08-07-2023 12:33 PM
So I might have figured this out. It seems to not work for me and another super admin that's in the test group and OU. However it does work for other non-admins that I have in the group.
08-02-2023 12:58 PM
Can this process be used to have only certain users use JumpCloud as their IdP for SSO? I set up everything according to this however I can't get it to actually work - I'm sure I'm missing something but I'm not sure what.
08-02-2023 08:10 PM
Hi Jaggrey,
Yes, you can apply the SAML profile to any group/OU of users, you may move the desired users into a designated group/OU and link the SAML profile to it. what error do you get?
08-03-2023 11:36 AM
Hey shawnsong,
I'm not getting any error message. Google just continues to prompt and authenticate instead of redirecting to JumpCloud.
08-03-2023 07:51 PM
Would you mind sharing your GWS/JC SSO settings with us, applying necessary obfuscations, of course? Completely understand that certain information may not be suitable for disclosure in this public forum. If that's the case, I would recommend reaching out directly to our support team, who will be more than happy to assist you in a private and secure manner to resolve this issue.
08-04-2023 11:36 AM
Sure what settings do you need to see? I also opened a ticket yesterday about this and referenced this link.
08-04-2023 11:59 AM
08-04-2023 08:08 PM
thanks Jaggrey, that's helpful. It looks like the SAML has been created, have you assigned it to a OU or group as suggested in step 5&6? and try to move an existing user to that ou/group and make sure that user is imported/created in JC, then try login again.
08-07-2023 12:06 PM
Yes I have it assigned to a group and to an OU and I'm a part of both. However when I go to Gmail and type in my email address to login, it just asks me for a password instead of redirecting to JumpCloud.
08-07-2023 12:33 PM
So I might have figured this out. It seems to not work for me and another super admin that's in the test group and OU. However it does work for other non-admins that I have in the group.
08-07-2023 08:39 PM
oh yes, good catch! i'll update my post with your findings, thanks for the feedback! and it's briefly mentioned in this KB.
08-08-2023 06:05 PM
I have another question around this. When users go to Google initially and type in their email address, they're redirected to JumpCloud, which is correct. However they're prompted again by JumpCloud to enter their email address. Is that normal behavior? Is there any way for Google to pass the email address to JumpCloud so that they don't have to enter it twice?
08-08-2023 08:07 PM
Yeah, it happens when SP initiated login basically on other apps too. Usually from my own experience, you can tweak the session on GWS to be a bit longer for re-auth (i.e. 14 days) so as long as the user has a login with JC in any given time, the re-auth wont happen too often.
11-23-2023 05:54 AM
I have been experimenting with this setup too. I would like to be able to provision JumpCloud users in a specific OU in Google Workspace, so that they get the JumpCloud SSO experience automatically, but it doesn't seem to be possible to set the "orgUnitPath" property of a user from the Google Workspace Cloud Directory integration. Can I raise this as a feature request?
11-28-2023 11:54 AM
@alanraison of course! You can raise anything as a feature request. If / when it happens will depend on several things, but you are more than welcome to submit something.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.