̽»¨´óÉñ

Integrate an existing Identity Provider (IdP) with ̽»¨´óÉñ to allow users to securely authenticate using their IdP credentials to gain access to their managed resources. 

Prerequisites

• You need to have a Google Cloud account with the permission to create new Google Cloud Projects . 
• You need to have Admin with Billing permissions to configure an IdP. 

Considerations

• Federated authentication will be applied to only specific user groups. See Routing Policies for Identity Providers to learn more.
• Creating the IdP won't automatically result in users logging in with that IdP.
• User Portal access will be available with a federated login. If you don’t want User Portal access, you can create a policy to deny this, see Get Started: Conditional Access Policies to learn more. 
• In order to provision users from your Google Workspace directory to ̽»¨´óÉñ, see Configure the Google Cloud Directory Sync to learn more.
• If you have third party SSO for your organization turned on in Google Workspace, you'll need to turn it off for it to work with ̽»¨´óÉñ. See Configuring an Organization-wide Third Party SSO Profile to learn more.

Preparing your IdP to Configure with ̽»¨´óÉñ

To prepare your connection:

1. Log in to your Google Cloud Console.
2. Next to the logo in the top left corner, click the dropdown menu, then in the top right corner of the modal, click NEW PROJECT. Name it something associated with ̽»¨´óÉñ, like ‘̽»¨´óÉñ OIDC’ and click CREATE.
   

3. In the left menu, go to OAuth consent form.
4. Click Get Started to configure Google Auth Platform.
   
5. On the App Information page, enter an App name*, something associated with ̽»¨´óÉñ, like ‘̽»¨´óÉñ’.
6. In the next dropdown menu, select a User support email*.
7. Click NEXT.
   
8. Under Audience, select Internal, then click NEXT.
   
9. Under Contact Information, enter a contact email address, then click NEXT.
   
10. Under Finish, select to agree to the policy and click CONTINUE, then CREATE.
    
11. In the left menu, go to Branding. Scroll down to Authorized domains, under Authorized domain 1*, enter jumpcloud.com
12. Under Developer contact information, enter an Email address*. 
13. Click SAVE.
    
14. In the left menu, go to Data Access to manage the scopes. Click ADD OR REMOVE SCOPES.
15. Select the first three scopes; email, openID, and profile. 
16. Click UPDATE then SAVE.
    
17. In the left menu, go to Clients. In the top menu, click + CREATE CLIENT.
18. On the next page, click the Application type* dropdown menu and select Web application.
19. Then, enter a Name*, something associated with ̽»¨´óÉñ, like ‘̽»¨´óÉñ OIDC’.
20. Under Authorized redirect URIs, enter https://login.jumpcloud.com/oauth/callback
21. Click CREATE.
    
22. You’ll get a successful OAuth client created modal with the Client ID, Client secret, Creation date, and Status. 
23. Copy the Client ID and Client secret to your clipboard. You’ll need these to configure Google Cloud in ̽»¨´óÉñ. Then click OK to exit out of the modal. 

Now, you have a connection to ̽»¨´óÉñ in Google Cloud. Next, you’ll want to configure the connection in ̽»¨´óÉñ.

Configuring Google Cloud as an IdP in ̽»¨´óÉñ

To configure Google Cloud:

1. Log in to your .
2. Click DIRECTORY INTEGRATIONS > Identity Providers.
3. Click the Add Identity Provider dropdown menu, and select Google. 
4. Enter an Identity Provider Name* as a display name (i.e. Google OIDC).
5. Under Google IdP URL*, enter . 
6. For Client ID*, paste in the first URL that you copied into your clipboard. 
7. For Client Secret, paste in the secret that you copied into your clipboard. 
8. Click Save. 

Managing the IdP 

To manage the IdP:

1. From your , click DIRECTORY INTEGRATIONS > Identity Providers.
2. You can update the name, Google IdP URL, Client ID, and Client Secret. 
3. Under Authentication, you’ll see that Federation is applied to your users, allowing them to authenticate with an IdP. 
4. Under Device Account Provisioning, you can configure either Self Service Account Provisioning or Automated Device Enrollment for whichever OS you’re provisioning. The Status displays either Enabled or Disabled accordingly, click Configure to edit.
   • See Provision New Users on Device Login and Automated Device Enrollment to learn more. 

Deleting the IdP

To delete the IdP:

1. From your , click DIRECTORY INTEGRATIONS > Identity Providers.
2. At the bottom of the IdP Configuration page, under Delete Identity Provider, click Delete IdP. 
3. You’ll be prompted to confirm your deletion, then click Yes, Delete. 

Additional Resources:

Walk through a guided simulation for