Overview

ShiftControl supports both user sync and Single Sign-On (SSO) for Google Workspace. Since Google Workspace is a core application in many organizations and has its own directory of users, it is treated a bit differently than regular SSO apps.

Google Workspace user synchronization is handled through a dedicated Google App via JumpCloud. However, once we enforce SSO, your users will need to be assigned the SSO application in order to log into Google Workspace and related services.

Supported Licenses

Google Workspace supports SSO on all licenses!

What you need to know

Add a Google Application and Configure SSO

Follow these instructions in order to add Google Workspace to ShiftControl and configure Single Sign-on (SSO).

We recommend configuring SSO for your entire organization and excluding any Organization Units (OUs) as required. Please see the “Google does not enforce SSO for Admins” in the previous section for more info on why we recommend this.

Create an OU to test authentication

1

Log in to the Google Workspace Admin Panel

Go to https://admin.google.com, log in as an Admin.

2

Manage OUs

Go to Directory→Organizational Units

Access Organizational Units
3

Create an OU

Click on Create organizational unit.

4

Create an OU

Set the name as SSO-Test, give it a description, and add it to your parent organization

If you already have OUs setup, you may choose to put this somewhere that makes more sense for your structure.

Create organizational unit

You’ve not created an Organization Unit that we can use to assign our SSO configuration. We’ll use this to ensure we can test it before you deploy it for all users.

Configure a SAML Profile to configure SSO

1

Go to SSO with third-party IdP

Go to Security→Authentication→SSO with third party IdP

2

Add SAML profile

We’ll add a profile first so we can test SSO for a specific OU, click on ADD SAML PROFILE

Add SAML profile
3

Configure the SAML profile

Configure the SAML profile:

  1. SSO profile name: SSO or any other unique name
  2. IDP Entity ID: yourdomain.com
  3. Sign-in Page URL: The “IDP URL” from the app’s SSO page in JumpCloud (Soon to be shown in ShiftControl)
  4. Sign-out page URL: https://console.jumpcloud.com
  5. Change password URL: https://console.jumpcloud.com
  6. Upload the certificate: Found by clicking Download certificate on the left in the app’s SSO page in JumpCloud (Soon to be available in ShiftControl)
Download certificate
4

Save the profile

Click Save

Save SAML profile
5

Review the configuration page

You’ll come to a page that shows the configuration, we’ll need the Entity ID and ACS URL.

Save SAML profile
6

Copy the SP Entity ID

Copy the Entity ID and paste it into JumpCloud’s App in the SSO area (Coming soon to the ShiftControl UI):

Copy the SP Entity ID
7

Copy the ACS Url

Copy the ACS URL and paste it into JumpCloud’s App in the SSO area (Coming soon to the ShiftControl UI):

Copy the ACS Url
8

Save

Click Save in JumpCloud and Click Back in Google Workspace. We’re now ready to assign the profile to your OU.

Assign a SAML Profile to an Organizational Unit (OU)

1

Go to SSO with third-party IdP

Go to Security→Authentication→SSO with third party IdP

2

Click on Get Started

Click on Get Started (if you haven’t assigned any profiles in the past)

Get Started
3

Select SSO-Test in Organizational Unit area

Click on SSO-Test on the left in the Organizational Unit area

4

Choose Another SSO Profile

Choose Another SSO Profile, and select your SSO-SAML profile we built before.

5

Set Google prompt for username

Keep the default of “Have Google prompt for their username, then redirect them to this profile’s IDP sign-in page”

6

Click Override

Then click Override

Click Override
7

Assign a user into the OU for testing

You are now ready to assign a user into that OU for testing.

Assign a user into the SSO Testing Organizational Unit

1

Go to the users directory

Go to Directory→Users

2

Select the user from the list

Select the user from the list

3

Change organizational unit

Click on Change organizational unit in the More options menu

Change organizational unit
4

Select SSO-Test and click Continue

Select SSO-Test and click Continue

5

Review the warning and click Change

Review the warning and click Change, there will be no impact other than SSO if you don’t currently use OUs as all other rules are inherited from the main organization.

Review and Change
6

Verify user in SSO Test OU

The user is now in the SSO Test OU.

From here, you can open an incognito window and try authenticating to google.com. Make sure the user you are using to test with is assigned the Application in the ShiftControl admin panel.

Was this page helpful?