Support Center

Getting Started with G Suite User Import, Provisioning and Sync

JumpCloud can act as the authoritative source of identity for G Suite. It provides for:
  • Secure, persistent, connectivity between JumpCloud and G Suite
  • Import of pre-existing Google Accounts into JumpCloud
  • Export (provisioning) of new accounts into G Suite
  • Continual synchronization from JumpCloud to Google Accounts
  • End-user self-service account management

Prerequisites:
In order to use JumpCloud's G Suite Directory integration, the following Google licenses are supported:
  • G Suite for Business
  • G Suite for Education
  • G Suite Basic (requires valid payment input for user additions)
  • You must have an active G Suite domain to proceed
  • A G Suite Domain Admin (Super Administrator)
Notes:
  • G Suite for Non Profit and G Suite Free Edition are NOT supported
  • OAuth connection and integration with only one Google domain is allowed
  • G Suite Synchronization is NOT the same as SSO with G Suite


Authorize G Suite Sync
Import existing G Suite users
Bind JumpCloud users to G Suite (Provision New G Suite Users)
Synchronization Maintenance
Scenarios
 
Authorize G Suite Sync
  1. Go to Google Admin > Security > API Reference. Check Enable API access


     
  2.  In the JumpCloud Admin console, go to Directories > G Suite > Select "Authorize G Suite Sync"


     
  3. Access must be granted by a Google Super Admin account, if necessary, log in as a Super Admin and select 'Allow' to authorize the sync:

 
 

Import existing G Suite users


Upon authorizing the sync, the user import list will automatically launch in a new tab. This can be closed without importing if desired. 
  1. Select one or more uses to import


     
  2. Select 'Import users' at the bottom
  3. The Import Complete dialog will display with the results of the import. Closing this will also close the import list and return to the JumpCloud admin console
  4. Go to Users, all imported users will be inactive pending completion of the registration process

In order to complete registration, the password for the account must be set, either by the user or the admin.  
 

Binding JumpCloud Users to G Suite
 
Binding to G Suite is done on the Directories tab of either the user detail or Group of Users detail by checking 'Google Apps'. When this is done, it will initiate synchronization. The email address of the JumpCloud user must match the email address in G Suite for initial synchronization to function.  The expected behavior once bound is:
  • The user will be sent an email requesting a password reset. If the user's existing password complies with JumpCloud password complexity requirements and password history is not enforced, they may opt to reuse their existing password for G Suite.
  • If the user did not previously exist in G Suite, a new, Active user account will be provisioned to G Suite (when the JumpCloud user's email domain matches the G Suite domain)
  • Accounts in Google Admin 'Suspended users' will be set to an Active user
  • The JumpCloud password will be sync'ed to G Suite when the password is next (re)set; when set, existing sessions to G Suite apps will be expired and the user will need to log on again
  • Changes in the admin console that propagate include First/Last name and account password and the username portion of the email address; e.g. USERNAME@yourdomain.local
  • Changes to the user console that propagate include supported extended attributes; e.g. Telephone, address, etc...
  • Changing the email domain in JumpCloud on a linked account causing a mismatch to the G Suite record will cause adverse behavior
Changes to the account within JumpCloud will propagate immediately to the linked Google User Account.

IMPORTANT: Unbinding a user from the G Suite Directory will immediately place the G Suite user in the Suspended users group within G Suite.  The user's existing sessions will be expired and they will be unable to login to any G Suite resources. 

 


Synchronization Maintenance
  • Import G Suite Users: Launches the import wizard. This can be run as many times as needed.
  • Reactivate G Suite Sync: This enables an administrator to refresh tokens of privileged user accounts who are maintaining the persisted connection between JumpCloud and the service through OAuth 2.0. This will also help to resolve connection issues and will not result in the ‘un-selection’ of any currently bound JumpCloud users.
  • Deactivate Service Button:  This will result break the synchronization with G Suite, then unbind all users and groups from G Suite. G Suite accounts will not be affected when performing this step. Do not use this unless you intend to no longer use the synchronization function. 

 
 

Scenarios


There are two main scenarios to setup synchronization with G Suite:
  • Taking over existing G Suite Accounts
  • Provisioning new G Suite Accounts
    • G Suite initiated
    • JumpCloud initiated

Taking over existing G Suite Accounts

Taking over an existing G Suite follows the process outlined above for importing and binding. Since the user already has access to their Google email, the only consideration is user education that JumpCloud will manage their G Suite password going forward

Provisioning new G Suite Accounts

G Suite Initiated

Creating the account in the Google Admin first allows for sending a temporary password to an alternate email address which will allow the user to gain access to their account. This scenario is best when the user is remote or cannot sit down with an admin to complete initial registration. Once created in Google, you would follow taking over an existing account workflow as above, in summary:
  1. Import the user to JumpCloud
  2. Bind the user to G Suite
  3. User sets their password in JumpCloud
  4. Sync is complete
JumpCloud Initiated

JumpCloud does not currently allow for a secondary email address or a way to securely transport a temporary password, so this method is better if the user is on site and can be physically handed a temporary JumpCloud password or allowed to set the password in the admin console.
  1. Add the new user to JumpCloud, set a temporary password
  2. Bind the user to G Suite
  3. Provide the user with the temporary password
  4. User logs into the JumpCloud user console and sets their password
  5. Steps 3 and 4 can be replaced by allowing the user to set the password in the admin console if desired
  6. Sync is complete


 
 

Last Updated: Jul 11, 2017 10:27AM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete