Showing results for 
Search instead for 
Did you mean: 

Use JC SSO mandating Google Work Space user's password - on specific GWS OU(s) and Groups

Rising Star I
Rising Star I

Users will have a consistent, streamlined login experience. To mitigate the user experience friction of JC <> GWS directory integration - where user is allowed to change the GWS' pw separately.

Use Cases
Scenario A - User has ONLY GWS account.

  • There are OUs / Groups are NOT entitled corp devices, and the account is NOT managed in JC (to save the license cost):
    • Contractors, external consultants whom have limited access to corp app / data.
    • They are using GWS mainly via Chrome (managed) on any devices.

Scenario B - User has both GWS and JC accounts.

  • I.e. full time employee’s accounts are managed by JC, as well as their devices.
    • User passwords are:
    • Managed by JC.
    • MFA on JC.
    • When users trying to change their password on GWS, will be redirected to JC.

Overview diagram

GWS __ JC use case.jpeg

How to set it up

  1. Setup SSO with GWS in your JC tenant, follow the steps here.
  2. You can find the YOURDOMAIN on GWS, by going to Account → Domains → Manage Domains, use the one with type Primary Domain .
  3. Once done and saved, flip to GWS admin console to continue the steps.
  4. Make sure the Entity ID and ACS URL values in the SAML profile you created are copied back to JC’s SSO setting:1.jpg
  5. And assign the SAML profile to the desired OUs.2.jpg

  6. Or assign to the desired groups. image-20221126-040335.png

  7. Done.

Note: For the SSO connectors setup on GWS - User accesses will remain intact if JC SSO is enabled on their OUs / Groups.

Reference links (Google):

Set up SSO for your organization - Google Workspace Admin Help

Single Sign On (SSO) with Google Workspace

Pre-integrated SAML apps catalog - Google Workspace Admin Help

Amazon Web Services cloud application - Google Workspace Admin Help