[Notification] We're upgrading the JumpCloud Support Center the week of September 16th.

Support Center

G Suite User Import, Provisioning, and Sync

JumpCloud can act as the authoritative source of identity for G Suite™. It provides for:
  • Secure, persistent connectivity between JumpCloud and G Suite.
  • Import of pre-existing Google Accounts into JumpCloud.
  • Export (provisioning) of new accounts into G Suite.
  • Continual synchronization from JumpCloud to Google Accounts.
  • End-user self-service account management.

Prerequisites:
The following Google licenses are supported for use with JumpCloud's G Suite Directory integration:
  • G Suite for Business
  • G Suite for Education
  • G Suite Basic (requires valid payment input for user additions)
  • You must have an active G Suite domain to proceed
  • A G Suite Domain Admin (Super Administrator)
 

Note:

  • G Suite for Non Profit and G Suite Free Edition aren't supported.
    • This is a Google restriction. Google only provides their User Access API to paid license levels. 
  • OAuth connection and integration is only allowed with one Google domain.
  • G Suite Synchronization is NOT the same as SSO with G Suite
  • If a user is bound to G Suite during the user creation process and a password is set, the user is created in G Suite, however their password needs to be set a second time for it to synchronize with G Suite.
     

Authorize G Suite Sync
Import existing G Suite users
Export Attributes to G Suite
Bind JumpCloud users to G Suite (Provision New G Suite Users)
Synchronization Maintenance
Scenarios
 
Authorize G Suite Sync
  1. In the Google Admin console, go to Security > API Reference, then select Enable API access.


     
  2.  In the JumpCloud Admin portal, go to Directories > G Suite, then select Authorize G Suite Sync.


     
  3. Access must be granted by a Google Super Admin account. If necessary, log in as a Super Admin and click Allow to authorize the sync.

 
 

Import existing G Suite users


After you authorize the sync, the user import list will automatically launch in a new tab. You can close this tab closed without importing users. 

Note:  When users are imported from G Suite, 
JumpCloud populates the Username field with the username portion of the imported user's email address as it is configured in G Suite.
 
  1. Select one or more uses to import.


     
  2. Click Import users.
  3. The Import Complete dialog will display with the results of the import. If you close this dialog, you will also close the import list and return to the JumpCloud admin portal.
  4. After the import, go to Users. All imported users will be inactive pending completion of the registration process.

 
To complete registration, the password for the account must be set, either by the user or the admin.
 

Export Attributes to G Suite

How does attribute data flow between G Suite and JumpCloud after integration?

Data flow for synced user attributes:

  • When you import a user from G Suite - if data exists for a user’s attributes in G Suite when they are imported, data is written to the equivalent user attributes in JumpCloud. ​
  • When you bind that user to G Suite in JumpCloud - attributes in G Suite are automatically overwritten with data from JumpCloud. Further, any subsequent changes made to the user’s attributes in JumpCloud are automatically pushed to the corresponding attributes in G Suite.
     
User Attribute Export
With the exception of several attributes that are selected by default, you can choose the
user attributes you would like to export to G Suite. Selected attributes are automatically synced with G Suite. This means that after you export an attribute to G Suite, data for that attribute is sent from JumpCloud to G Suite. Likewise, if you choose to stop exporting data for an attribute, it is no longer synced with G Suite. Subsequent changes made to that attribute in JumpCloud are not exported to G Suite.

Important: Take caution when selecting attributes to export. After you select an attribute to export to G Suite it is immediately overwritten with data from JumpCloud and you could potentially lose data stored for that attribute in G Suite. See Attribute Data to learn about how attribute data is exported to G Suite.
 

Attributes that are always exported to G Suite:

  • First name
  • Last name
  • Password
  • Company Email
  Attributes you can choose to export to G Suite:
  • Work Address
  • Work Phone
  • Work Fax
  • Work Cell
  • Employee Type
  • Department
  • Employee ID
  • Cost Center
  • Title
  • Home Address
  • Home Phone
  • Personal Cell
Attribute Data

The following table outlines how attribute data is exported from JumpCloud’s API to G Suite’s API. The attribute listed in the JumpCloud API Attribute Name column is exported to the attribute listed in the G Suite API Attribute Name column.

Go here for related API information.
Note about address attributes:
Both the JumpCloud and G Suite APIs allow multiple addresses for a given type. On export, existing G Suite addresses for a given type are replaced with JumpCloud addresses of that type.
 
JumpCloud API Attribute Name G Suite Attribute Name Notes
firstname name.firstName  
lastname name.lastName  
password password  
email primaryEmail  
jobTitle organization.title For G Suite organization with primary = True
employeeIdentifier externalId.value For G Suite organization with primary = True
department organization.department For G Suite organization with primary = True
costCenter organization.costCenter For G Suite organization with primary = True
employeeType organization.description For G Suite organization with primary = True

addresses.type
addresses.poBox
addresses.extendedAddresses
addresses.locality
addresses.region
addresses.postalCode

addresses.formatted Addresses are exported as a single, formatted value that includes all of the address values listed in the JumpCloud API Attribute Name column.
See Note about address attributes.
phoneNumbers.type phones.type  
phoneNumbers.number phones.value  
 

The following table outlines how attribute data is exported from JumpCloud’s UI to G Suite’s UI. The attribute listed in the JumpCloud UI Attribute Name column is exported to the attribute listed in the G Suite UI Attribute Name column.

JumpCloud UI Attribute Name G Suite Attribute Name Notes
First Name First name  
Last Name Last name  
Password Password  
Company Email Primary email  
Job Title Job title  
Employee ID Employee ID  
Department Department  
Cost Center Cost center  
Work Address Address (Work) Data exported for this attribute is viewable only in the G Suite API.
This is a drop-down menu field.
See 
Note about address attributes.
Work Fax Data exported for this attribute is viewable only in the G Suite API.
Work Cell - Data exported fo this attribute is viewable only in the G Suite API.
Home Address Address (Home) Data exported fo this attribute is viewable only in the G Suite API.
See 
Note about address attributes.
Home Phone Phone (Home) This is a drop-down menu field.
Personal Cell Phone (Mobile) This is a drop-down menu field.


Binding JumpCloud Users to G Suite
 
You can bind users and groups to G Suite. Bind users from User Details > Directories. Bind groups from Group Details > Directories. See Binding Users to Resources - Grant AccessAfter you bind a user or group to G Suite, synchronization is initiated. The email address of the JumpCloud user must match the email address in G Suite for initial synchronization to function.  The expected behavior after a user is bound:
  • The user will be sent an email requesting a password reset. If the user's existing password complies with JumpCloud password complexity requirements and password history is not enforced, they may opt to reuse their existing password for G Suite.
  • If the user did not previously exist in G Suite, a new, Active user account will be provisioned to G Suite (when the JumpCloud user's email domain matches the G Suite domain)
  • Accounts in Google Admin 'Suspended users' will be set to an Active user
  • The JumpCloud password will be sync'ed to G Suite when the password is next (re)set; when set, existing sessions to G Suite apps will be expired and the user will need to log on again
  • Changing First Name, Last Name, password, and email address: Changes in the admin console that propagate include First/Last name and account password and the username portion of the email address, username@yourdomain.local. 
    • Note: Making changes to an email address in G Suite will break the synchronization between G Suite and JumpCloud. Changes will need to be made in JumpCloud for this requirement.
  • Changes to the user console that propagate include supported extended attributes; e.g. Telephone, address, etc...
  • Changing the email domain in JumpCloud on a linked account causing a mismatch to the G Suite record will cause adverse behavior
IMPORTANT: Unbinding a user from the G Suite Directory will immediately place the G Suite user in the Suspended users group within G Suite.  The user's existing sessions will be expired and they will be unable to login to any G Suite resources.

Synchronization Maintenance
  • Import G Suite Users: Launches the import wizard. This can be run as many times as needed.
  • Reactivate G Suite Sync: This enables an administrator to refresh tokens of privileged user accounts who are maintaining the persisted connection between JumpCloud and the service through OAuth 2.0. This will also help to resolve connection issues and will not result in the ‘un-selection’ of any currently bound JumpCloud users.
  • Deactivate Service Button:  This will result break the synchronization with G Suite, then unbind all users and groups from G Suite. G Suite accounts will not be affected when performing this step. Do not use this unless you intend to no longer use the synchronization function. 

 

 

Scenarios


There are two main scenarios to set up synchronization with G Suite:
  • Taking over existing G Suite Accounts
  • Provisioning new G Suite Accounts
    • G Suite initiated
    • JumpCloud initiated

Taking over existing G Suite Accounts

Taking over an existing G Suite account follows the previously outlined process for importing and binding users. Since users already have access to their Google email, the only consideration is user education that JumpCloud will manage their G Suite password going forward.

Provisioning new G Suite Accounts

G Suite Initiated

Creating the account in the Google Admin first allows for sending a temporary password to an alternate email address, which will allow the user to gain access to their account. This scenario is best when the user is remote or can't sit with an admin to complete initial registration. After the user is created in Google, you would follow taking over an existing account workflow as previously outlined. In summary:
  1. Import the user to JumpCloud
  2. Bind the user to G Suite
  3. User sets their password in JumpCloud
  4. Sync is complete
JumpCloud Initiated

JumpCloud doesn't currently allow for a secondary email address or a way to securely transport a temporary password, so this method is better if the user is on site and can be physically handed a temporary JumpCloud password, or is allowed to set the password in the admin console.
  1. Add the new user to JumpCloud, set a temporary password
  2. Bind the user to G Suite
  3. Provide the user with the temporary password
  4. User logs into the JumpCloud user console and sets their password
  5. Steps 3 and 4 can be replaced by allowing the user to set the password in the admin console if desired
  6. Sync is complete


 
 
 

Last Updated: Jul 18, 2019 09:53AM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete