探花大神

Contact Us
Help Center Home > Apps and Integrations > SSO with Google Workspace

SSO with Google Workspace

In addition to the 探花大神 Google Workspace Cloud Directory Integration (which enables the provisioning and synchronization of your Google Workspace users from 探花大神), you can also choose to configure the Google Workspace SAML SSO Connector.

The Google Workspace connector provides users with single sign on (SSO) capabilities. They are redirected to the 探花大神 login screen enabling them to log into Google Workspace with their 探花大神 credentials. Using 探花大神 SSO with Google Workspace not only passes user authentication responsibilities to 探花大神, it also allows the option to enforce 探花大神 MFA for authentication and the ability to enforce Conditional Access Policies.

Read this article to learn how to set up Google Workspace SSO.

Important:

Read the SAML Configuration Notes before you start configuring this connector.

Prerequisites

  • A 探花大神 administrator account
  • 探花大神 SSO Package or higher or SSO 脿 la carte option
  • In order to successfully complete the integration between 探花大神 and Google, you must have administrative rights to access configuration in your Google Workspace account
  • Google Workspace for Enterprise, Business, or Education

Important Considerations

  • Non-profit or Standard (Free legacy) editions do not support SAML
  • Google is advising migrating any existing Organization-wide SSO profiles, now called Legacy SSO profiles, to Third-party SSO profiles. See for more information
    • If migrating from Legacy SSO Profiles, you must update the SP details in your 探花大神 connector (SP Entity ID and ACS URLs)
  • When a Google Super Admin tries to sign in to an SSO-enabled domain via admin.google.com, they will not be redirected to 探花大神 for authentication, but rather will be prompted for their full Google email address and associated password
    • Read Google鈥檚 on SSO-enabled domain redirects for Super Admins.

Creating a new 探花大神 Application Integration

  1. Log in to the .
  2. Navigate to USER AUTHENTICATION SSO Applications.
  3. Click + Add New Application.
  4. Type Google Workspace in the Search field and select it.
  5. Click Next.
  6. In the Display Label, type your name for the application. Optionally, you can enter a Description, and choose to hide or Show in User Portal.
  7. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<application display label>.

Warning:

The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.

  1. Click Save Application.
  2. If successful, click:
    • Configure Application and go to the next section.
    • Close to configure your new application at a later time.

Configuring the SSO Integration

Google Workspace allows mixed SSO policies through the use of SSO profiles. This is also called Partial SSO and gives you the flexibility to specify the authentication authority (探花大神 or Google) for subsets of users in your organization, like vendors or contractors.

To configure Google SSO Profile(s)

Google's SSO profiles provide flexibility to include or exclude specific user groups or organizational units (OUs) from SSO through assignments within your Google Workspace environment. There are two types of SSO profiles;

SSO Profile Automatically enables SSO for all users Assignments required to EXCLUDE from SSO Assignments required to INCLUDE in SSO
Legacy (Organization-wide) Third Party
Third Party

Tip:

For more information, please reference .

Configuring a legacy SSO profile

This configuration will enable SSO for all Google Workspace users (except super admins). All Google Workspace users (except super admins) will be forwarded to 探花大神 for authentication.

Important:

The legacy SSO profile is supported for users who have not migrated to SSO profiles. It only supports usage with a single IdP.

Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles for your organization to .

Excluding users from a Legacy SSO Profile

Using SSO Profile assignments within Google Workspace, users can be excluded from the Legacy SSO Profile meaning they will sign directly into Google. To , navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.

Configuring a third-party SSO profile

This configuration allows you to assign SSO profiles to Google Workspace organization units or groups (except super admins). Only Google Workspace users (except super admins) assigned to the 探花大神 SSO profile will authenticate with 探花大神.

Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles to .

To assign users to a Third Party SSO Profile

Using SSO Profile assignments, users can be included (except super admins as mentioned above) in the Third Party SSO Profile and be forwarded to 探花大神 for authentication. To , navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.

Note:

Google supports up to 1000 different Individual Third Party SSO profiles.

To configure 探花大神

  1. Create a new application or select it from the Configured Applications list.
  2. Select the SSO tab.
  3. Replace any instances of YOURDOMAIN with your Google Workspace domain name.
  4. Add any additional attributes.
  5. Copy the 探花大神 IDP URL for the next section.
  6. Click save.

Download the certificate

  1. Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
  2. Go to SSO tab > Actions > Download certificate.

Tip:

The certificate.pem will download to your local Downloads folder.

To configure Google

  1. Log in to the .
  2. Select Security > Authentication > SSO with third party IdP.
  3. After selecting the appropriate profile, enter the following information:
    • Sign-in page URL - enter the 探花大神 IDP URL.
    • Sign-out page URL - enter https://console.jumpcloud.com.
    • Upload certificate - browse to and select the certificate downloaded in the previous section.
    • (Optional) Change password URL - enter https://console.jumpcloud.com/userconsole#/security

Important:

 If you enter a Change password URL, users will be directed to that page even if you don鈥檛 enable SSO for your organization.

  1. Click Save.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to 探花大神, you need to authorize user access to that application. You can authorize user access from the Applications, Users List or User Groups 辫补驳别.听

To authorize user access from the Application’s page

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the desired group of users to which you want to give access.
  5. Click Save.听

To learn how to authorize user access from the聽Users or User Groups聽pages, see聽Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

  • Access the
  • Go to聽Applications and click an application tile to launch it
  • 探花大神 asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

  • Go聽to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

Note:

This varies by SP.

  • Login redirects the user to 探花大神 where the user enters their 探花大神 credentials
  • After the user is logged in successfully, they are redirected聽back to the SP and automatically logged in

Removing the SSO Integration

Important:

These are steps for removing the integration in 探花大神. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and 探花大神 may result in users losing access to the application.

To deactivate the SSO Integration

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Select the SSO tab.
  5. Scroll to the bottom of the configuration.
  6. Click Deactivate SSO
  7. Click save
  8. If successful, you will receive a confirmation message.

To delete the application

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.

Troubleshooting

I am getting a ‘This domain is not configured to use Single Sign On’ error.

Resolution: Ensure the correct ACS URL is present in the Google Workspace SSO connector in the 探花大神 Admin Portal.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case