̽»¨´óÉñ

In addition to the ̽»¨´óÉñ Google Workspace Cloud Directory Integration (which enables the provisioning and synchronization of your Google Workspace users from ̽»¨´óÉñ), you can also choose to configure the Google Workspace SAML SSO Connector.

The Google Workspace connector provides users with single sign on (SSO) capabilities. They are redirected to the ̽»¨´óÉñ login screen enabling them to log into Google Workspace with their ̽»¨´óÉñ credentials. Using ̽»¨´óÉñ SSO with Google Workspace not only passes user authentication responsibilities to ̽»¨´óÉñ, it also allows the option to enforce ̽»¨´óÉñ MFA for authentication and the ability to enforce Conditional Access Policies.

Read this article to learn how to set up Google Workspace SSO.

Prerequisites

• A ̽»¨´óÉñ administrator account
• ̽»¨´óÉñ SSO Package or higher or SSO à la carte option
• In order to successfully complete the integration between ̽»¨´óÉñ and Google, you must have administrative rights to access configuration in your Google Workspace account
• Google Workspace for Enterprise, Business, or Education

Important Considerations

• Non-profit or Standard (Free legacy) editions do not support SAML
• Google is advising migrating any existing Organization-wide SSO profiles, now called Legacy SSO profiles, to Third-party SSO profiles. See for more information
  • If migrating from Legacy SSO Profiles, you must update the SP details in your ̽»¨´óÉñ connector (SP Entity ID and ACS URLs)
• When a Google Super Admin tries to sign in to an SSO-enabled domain via admin.google.com, they will not be redirected to ̽»¨´óÉñ for authentication, but rather will be prompted for their full Google email address and associated password
  • Read Google’s on SSO-enabled domain redirects for Super Admins.

Creating a new ̽»¨´óÉñ Application Integration

1. Log in to the .
2. Navigate to USER AUTHENTICATION > SSO Applications.
3. Click + Add New Application.
4. Type Google Workspace in the Search field and select it.
5. Click Next.
6. In the Display Label, type your name for the application. Optionally, you can enter a Description, and choose to hide or Show in User Portal.
7. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<application display label>.

8. Click Save Application.
9. If successful, click:
   • Configure Application and go to the next section.
   • Close to configure your new application at a later time.

Configuring the SSO Integration

Google Workspace allows mixed SSO policies through the use of SSO profiles. This is also called Partial SSO and gives you the flexibility to specify the authentication authority (̽»¨´óÉñ or Google) for subsets of users in your organization, like vendors or contractors.

To configure Google SSO Profile(s)

Google's SSO profiles provide flexibility to include or exclude specific user groups or organizational units (OUs) from SSO through assignments within your Google Workspace environment. There are two types of SSO profiles;

Configuring a legacy SSO profile

This configuration will enable SSO for all Google Workspace users (except super admins). All Google Workspace users (except super admins) will be forwarded to ̽»¨´óÉñ for authentication.

Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles for your organization to .

Excluding users from a Legacy SSO Profile

Using SSO Profile assignments within Google Workspace, users can be excluded from the Legacy SSO Profile meaning they will sign directly into Google. To , navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.

Configuring a third-party SSO profile

This configuration allows you to assign SSO profiles to Google Workspace organization units or groups (except super admins). Only Google Workspace users (except super admins) assigned to the ̽»¨´óÉñ SSO profile will authenticate with ̽»¨´óÉñ.

Navigate to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles to .

To assign users to a Third Party SSO Profile

Using SSO Profile assignments, users can be included (except super admins as mentioned above) in the Third Party SSO Profile and be forwarded to ̽»¨´óÉñ for authentication. To , navigate to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments.

To configure ̽»¨´óÉñ

1. Create a new application or select it from the Configured Applications list.
2. Select the SSO tab.
3. Replace any instances of YOURDOMAIN with your Google Workspace domain name.
4. Add any additional attributes.
5. Copy the ̽»¨´óÉñ IDP URL for the next section.
6. Click save.

Download the certificate

1. Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
2. Select the SSO tab and click IDP Certificate Valid > Download certificate.

To configure Google

1. Log in to the .
2. Select Security > Authentication > SSO with third party IdP.
3. After selecting the appropriate profile, enter the following information:
   • Sign-in page URL - enter the ̽»¨´óÉñ IDP URL.
   • Sign-out page URL - enter https://console.jumpcloud.com.
   • Upload certificate - browse to and select the certificate downloaded in the previous section.
   • (Optional) Change password URL - enter https://console.jumpcloud.com/userconsole#/security

4. Click Save.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to ̽»¨´óÉñ, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

1. Log in to the .
2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
4. Select the check box next to the group of users you want to give access.
5. Click save. 

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

• Access the
• Go to Applications and click an application tile to launch it
• ̽»¨´óÉñ asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

• Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

• Login redirects the user to ̽»¨´óÉñ where the user enters their ̽»¨´óÉñ credentials
• After the user is logged in successfully, they are redirected back to the SP and automatically logged in

Removing the SSO Integration

To deactivate the SSO Integration

1. Log in to the .
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you’d like to deactivate and click to open its details panel. 
4. Select the SSO tab.
5. Scroll to the bottom of the configuration.
6. Click Deactivate SSO. 
7. Click save. 
8. If successful, you will receive a confirmation message.

To delete the application

1. Log in to the .
2. Go to USER AUTHENTICATION > SSO Applications.
3. Search for the application that you’d like to delete.
4. Check the box next to the application to select it.
5. Click Delete.
6. Enter the number of the applications you are deleting
7. Click Delete Application.
8. If successful, you will see an application deletion confirmation notification.