Get Started: Google Workspace Integration

The Google Workspace integration allows for secure and consistent connectivity between JumpCloud and Google Workspace. The integration allows an IT Admin to automatically provision new JumpCloud user accounts into Google Workspace and continuously synchronize specified user attributes from JumpCloud to Google accounts in real time. In addition, admins can import users from Google Workspace into JumpCloud and manage distribution groups in Google Workspace from JumpCloud.

Integrating Google Workspace with JumpCloud

Benefits

This integration with JumpCloud provides:

  • Secure, persistent connectivity between JumpCloud and Google Workspace.
  • A convenient way to import pre-existing Google accounts into JumpCloud.
  • Automatic export (provisioning) of new JumpCloud accounts into Google Workspace.
  • Continual user attribute synchronization from JumpCloud to Google accounts.
  • Accessible self-service account management for your end users.
  • A simplified login similar to Security Assertion Markup Language (SAML) Single Sign On (SSO) that lets users log in to JumpCloud and Google Workspace using the same set of credentials.

Important Considerations

  • When you unbind a user from a Google Workspace directory, the user is immediately suspended in Google Workspace and any existing Google sessions expire. After they’re disconnected, the user is unable to log in to any Google Workspace resources connected to that directory.
  • Don’t add a Google Workspace directory more than once in JumpCloud. If you authorize sync for the same Google Workspace directory more than once, users that are connected to multiple instances of the same Google Workspace directory in JumpCloud could be suspended if you remove them from one of the instances. You can avoid this by deactivating the sync for duplicate Google Workspace directories.
  • Only import users that you intend to manage with JumpCloud. You have 48 hours to remove unwanted users and to contact your Account Manager to avoid being charged for any users you remove after import.
  • Synchronization occurs by matching the user’s JumpCloud email address with the Google Workspace primary email address or any of a user’s Google Workspace alias email addresses.
  • Some user attributes are always synced with Google Workspace. You can choose additional user attributes to sync. See Sync User Attributes with Google Workspace.
  • We recommend that you change user emails in the JumpCloud Admin Portal.
  • If you change the email domain in JumpCloud for a linked account to a domain outside of the synced Google Workspace directory, you could cause the user information to stop syncing unless you have configured a list of domains and specified one to use as the default for the integration.  See more information on the domains section.
  • Most changes users make to their personal attributes in the User Portal will sync to Google Workspace if those attributes are to set to sync on export. See Sync User Attributes with Google Workspace.
  • Regardless of state or security settings, users must be unbound from the Google Workspace directory to guarantee that JumpCloud will stop syncing information for that user.
  • Users should be unbound from your Google Workspace integration in JumpCloud before deletion in the cloud directory.

Prerequisites

  • You need an active Google Workspace directory. Google Workspace directories can contain multiple domains. 
  • You need to have a Google Workspace Domain Admin / Google Super Admin account.

Supported Licenses

The following Google licenses are supported for use with JumpCloud's Google Workspace integration:

  • Google Workspace Business editions
  • Google Workspace Education editions
  • Google Workspace Enterprise editions
  • Legacy G Suite Business
  • Legacy G Suite Basic
    • This license requires a valid payment source for user additions.
    • Ensure that you validate the billing contact.
    • Pending actions need to be completed for password sync to function properly.
  • Google Workspace for Non Profits, Google Workspace Essentials Starter, and G Suite Legacy Free Edition aren’t supported. This is a Google restriction; Google only provides their User Access API to paid licenses.

Note:

After reading through this overview, see our series of articles on the Google Workspace Directory Integration:

Google Workspace Integration Scenarios

You can integrate Google Workspace with JumpCloud in the following two ways:

  1. Taking over existing Google Workspace accounts
  2. Provisioning new Google Workspace accounts

Taking Over Existing Google Workspace Accounts

When you import existing Google Workspace users into JumpCloud and assign them to a Google Workspace Cloud Directory Sync integration instance you’ve activated, JumpCloud "takes over" management of those accounts, including being the password authority. JumpCloud will match the account based on the  email address sent as the PrimaryEmail value for the user. Once JumpCloud takes over the account, it will sync all attributes set to “Export” on the Google integration.  See Sync User Attributes with Google Workspace.

Provisioning New Google Workspace Accounts

User account provisioning involves creating and maintaining users and their attributes. New Google Workspace accounts can be provisioned in the Google Admin console or JumpCloud Admin Portal.

Provisioning via Google Workspace

When a user account is created in the Google Admin console, a temporary password can be sent to an alternate email address, which lets users gain access to their account. When you create a user account in Google Workspace, users are provisioned in JumpCloud the following way:

  1. Import the user into JumpCloud.
  2. Bind the user to the Google Workspace directory in which the user was created. See Giving JumpCloud Users Access to Google Workspace for detailed instructions.
  3. Once the user sets their password in the JumpCloud User Portal, the account synchronization will begin.

Provisioning via JumpCloud

When creating a user account in JumpCloud, a user can be given access to their account in two ways. An activation email can be sent to an alternate email address upon activation. Admins can also set a temporary password during account creation.

To send an activation email to an alternate email address via user access to Google Workspace
  1. Add the new user in JumpCloud.
    1. Bind the user to the Google Workspace directory either directly by selecting the Google Workspace directory from the Directories tab or adding the user to a user group that has access to the Google Workspace directory from the User Groups tab.
    2. Leave the Specify initial password box unchecked.
  1. Save the user.
  2. Depending on the user state the user was created in, the flow will vary:
    1. If the user was created in a ‘staged’ user state, the user is not notified of the account creation. When you change their user state to ‘active’, you will be asked if you want to send the user an Activation email that tells them how to register their account. You will also be given an option to specify to which email address to send the activation email.
    2. If the user was created in an ‘active’ user state, you will be asked if you want to send the user an Activation email that tells them how to register their account. You will also be given an option to specify to which email address to send the activation email.

Note:

The Domains configuration will determine what will happen if a user’s work email domain does not match the domain in Google.  See Google Workspace Directory Sync.

  1. The user will click the link in the activation email and set their password.

Warning:

If the user creates a password that doesn’t comply with Google's name and password guidelines, their account won't sync from JumpCloud to Google Workspace, and they will not be able to log in. See Troubleshooting below for more details.

  1. After the user registers their account, creates an account password, and logs in to their JumpCloud User Portal, synchronization of their password and all attributes set to ‘export’ will be begin.
To set a temporary password during creation
  1. Add the new user to JumpCloud.
    1. Bind the user to the Google Workspace directory either directly by selecting the Google Workspace directory from the Directories tab or adding the user to a user group that has access to the Google Workspace directory from the User Groups tab.
    2. Check the Specify initial password box and set a temporary password. 
    3. It is strongly encouraged to select Force user to set their own password at first login.
  2. Save the user.
  3. Depending on the user state the user was created in, the flow will vary. To learn more about user states, see Managing User States.
    1. If the user was created in a ‘staged’ user state, the user is not notified of the account creation. When you change their user state to ‘active’, you will be asked if you want to send the user a Welcome email that tells them to contact their IT admin to receive the password. You will also be given an option to specify to which email address to send the welcome email.
    2. If the user was created in an ‘active’ user state, you will be asked if you want to send the user an Welcome email that tells them to contact their IT admin to receive the password. You will also be given an option to specify to which email address to send the welcome email.
  4. Securely provide the temporary password that was initially set.
  5. Once the user logs in to the JumpCloud User Portal and sets their password, synchronization of their password and all attributes set to ‘export’ will begin.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case