This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setup JC SSO with Google Workspace - on specific GWS OU(s) or Groups

Go to solution
shawnsong
Rising Star III
Rising Star III

‎11-25-2022 11:20 PM - edited ‎09-11-2023 09:12 PM

Users will have a consistent, streamlined login experience. To mitigate the user experience friction of JC <> GWS directory integration - where user is allowed to change the GWS' pw separately.

Use Cases
Scenario A - User has ONLY GWS account.

  • There are OUs / Groups are NOT entitled corp devices, and the account is NOT managed in JC (to save the license cost):
    • Contractors, external consultants whom have limited access to corp app / data.
    • They are using GWS mainly via Chrome (managed) on any devices.

Scenario B - User has both GWS and JC accounts.

  • I.e. full time employee’s accounts are managed by JC, as well as their devices.
    • User passwords are:
    • Managed by JC.
    • MFA on JC.
    • When users trying to change their password on GWS, will be redirected to JC.

Overview diagram

GWS __ JC use case.jpeg

How to set it up

  1. Setup SSO with GWS in your JC tenant, follow the steps here.
  2. You can find the YOURDOMAIN on GWS, by going to Account → Domains → Manage Domains, use the one with type Primary Domain .
  3. Once done and saved, flip to GWS admin console to continue the steps.
  4. Make sure the Entity ID and ACS URL values in the SAML profile you created are copied back to JC’s SSO setting:1.jpg

  5. And assign the SAML profile to the desired OUs.2.jpg

     

  6. Or assign to the desired groups. image-20221126-040335.png

  7. Done.

Note: For the SSO connectors setup on GWS - User accesses will remain intact if JC SSO is enabled on their OUs / Groups.

[Update 08-08-2023] 

Important: When super admins logging in after applied the SAML profile, they will NOT be directed to JumpCloud for SSO sign-in according to this KB. Please validate the SSO flow by using a regular user account. 

Reference links (Google):

Set up SSO for your organization - Google Workspace Admin Help

Single Sign On (SSO) with Google Workspace

Pre-integrated SAML apps catalog - Google Workspace Admin Help

Amazon Web Services cloud application - Google Workspace Admin Help

1 ACCEPTED SOLUTION

Go to solution
jaggrey
Novitiate III
In response to jaggrey

‎08-07-2023 12:33 PM

So I might have figured this out.  It seems to not work for me and another super admin that's in the test group and OU.  However it does work for other non-admins that I have in the group.

View solution in original post

0 Kudos
14 REPLIES 14

Go to solution
jaggrey
Novitiate III

‎08-02-2023 12:58 PM

Can this process be used to have only certain users use JumpCloud as their IdP for SSO?  I set up everything according to this however I can't get it to actually work - I'm sure I'm missing something but I'm not sure what.

0 Kudos

Go to solution
shawnsong
Rising Star III
Rising Star III
In response to jaggrey

‎08-02-2023 08:10 PM

Hi Jaggrey,

Yes, you can apply the SAML profile to any group/OU of users, you may move the desired users into a designated group/OU and link the SAML profile to it. what error do you get?

0 Kudos

Go to solution
jaggrey
Novitiate III
In response to shawnsong

‎08-03-2023 11:36 AM

Hey shawnsong,

I'm not getting any error message.  Google just continues to prompt and authenticate instead of redirecting to JumpCloud.

0 Kudos

Go to solution
shawnsong
Rising Star III
Rising Star III
In response to jaggrey

‎08-03-2023 07:51 PM

Would you mind sharing your GWS/JC SSO settings with us, applying necessary obfuscations, of course? Completely understand that certain information may not be suitable for disclosure in this public forum. If that's the case, I would recommend reaching out directly to our support team, who will be more than happy to assist you in a private and secure manner to resolve this issue.

0 Kudos

Go to solution
jaggrey
Novitiate III
In response to shawnsong

‎08-04-2023 11:36 AM

Sure what settings do you need to see?  I also opened a ticket yesterday about this and referenced this link.

0 Kudos

Go to solution
jaggrey
Novitiate III
In response to jaggrey

‎08-04-2023 11:59 AM

image (7).png

image (8).png

  

image (9).png

0 Kudos

Go to solution
shawnsong
Rising Star III
Rising Star III
In response to jaggrey

‎08-04-2023 08:08 PM

thanks Jaggrey, that's helpful. It looks like the SAML has been created, have you assigned it to a OU or group as suggested in step 5&6? and try to move an existing user to that ou/group and make sure that user is imported/created in JC, then try login again. 

0 Kudos

Go to solution
jaggrey
Novitiate III
In response to shawnsong

‎08-07-2023 12:06 PM

Yes I have it assigned to a group and to an OU and I'm a part of both.  However when I go to Gmail and type in my email address to login, it just asks me for a password instead of redirecting to JumpCloud.

0 Kudos

Go to solution
jaggrey
Novitiate III
In response to jaggrey

‎08-07-2023 12:33 PM

So I might have figured this out.  It seems to not work for me and another super admin that's in the test group and OU.  However it does work for other non-admins that I have in the group.

0 Kudos

Go to solution
shawnsong
Rising Star III
Rising Star III
In response to jaggrey

‎08-07-2023 08:39 PM

oh yes, good catch! i'll update my post with your findings, thanks for the feedback! and it's briefly mentioned in this KB. 

Go to solution
jaggrey
Novitiate III

‎08-08-2023 06:05 PM

I have another question around this.  When users go to Google initially and type in their email address, they're redirected to JumpCloud, which is correct.  However they're prompted again by JumpCloud to enter their email address.  Is that normal behavior?  Is there any way for Google to pass the email address to JumpCloud so that they don't have to enter it twice?

0 Kudos

Go to solution
shawnsong
Rising Star III
Rising Star III
In response to jaggrey

‎08-08-2023 08:07 PM

Yeah, it happens when SP initiated login basically on other apps too. Usually from my own experience, you can tweak the session on GWS to be a bit longer for re-auth (i.e. 14 days) so as long as the user has a login with JC in any given time, the re-auth wont happen too often. 

0 Kudos

Go to solution
alanraison
Novitiate I

‎11-23-2023 05:54 AM

I have been experimenting with this setup too. I would like to be able to provision JumpCloud users in a specific OU in Google Workspace, so that they get the JumpCloud SSO experience automatically, but it doesn't seem to be possible to set the "orgUnitPath" property of a user from the Google Workspace Cloud Directory integration. Can I raise this as a feature request?

0 Kudos

Go to solution
BScott
Community Manager Community Manager
Community Manager
In response to alanraison

‎11-28-2023 11:54 AM

@alanraison of course! You can raise anything as a feature request. If / when it happens will depend on several things, but you are more than welcome to submit something.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.