Google Workspace SSO

Users can authenticate to JumpWire using their Google Workspace account. This has the benefit of syncing their group memberships into JumpWire, so that data access permissions assigned to groups can be applied to users' sessions when connecting to a database through JumpWire.

The following guide will help you set up Single Sign-On through Google Workspace. You will need an administrator to create OAuth credentials and grant JumpWire the ability to read user's group memberships.

Visit Google's cloud console to get started, all of the configuration is done under Apis & Services

By creating a new project to create an OAuth client, you can customize the OAuth login screen that is shown to users. Or if you have an existing project that isn't used for OAuth, that works fine too.

You can give the project any name you'd like, or here's a name you can use: jumpwire-oauth

Next, make sure that the Admin SDK API is enabled in the project. JumpWire uses the Admin SDK API to include your users' group memberships when they login using Google Workspace.

Visit the API library in Google's cloud console to enable the Admin SDK API. Search for "Admin SDK API" in the search box.

Select the Admin SDK API and click the "enable" button to enable this API for your project.

Next set up the OAuth Consent Screen to customize the login experience and grant the correct auth scopes to the application.

Visit the OAuth consent screen page under "APIs & Services"

Select Internal for the User Type

Enter the following information for App information -

Give the app the name JumpWire. For User support, select an email from the dropdown that corresponds to your internal tech support. If you'd like to customize the logo, here's one -

App domain information can be left blank.

For authorized domains, click "add domain" and enter auth0.com

For Developer contact information, you can enter [email protected], or use the same email from above for your technical support team.

On the Scopes page, click "add or remove scopes".

Select .../auth/userinfo.email, it should be on the first page, and .../auth/admin.directory.group.member.readonly, which will be a few pages in.

Click "save and continue" and you'll be shown a summary screen.

Now create OAuth client credentials, which will be used by JumpWire's Authentication provider Auth0 to complete the OAuth flow for users.

Visit the credentials page under "APIs & Services" to create an OAuth client . Click the "create credentials" button and select OAuth client ID.

In the Application type dropdown, select Web application. For Name, enter JumpWire, or something more fun if you want.

For Authorized JavaScript origins, click "add uri" and enter https://jumpwire.us.auth0.com . For Authorized redirect URIs, click "add uri" and enter https://jumpwire.us.auth0.com/login/callback

Click "create" to complete the setup.

After a few seconds, you'll see a modal with OAuth client created . It has a Client ID and Client secret. Copy each of those and enter it into the form on the JumpWire SSO page. Note that JumpWire does not store these values, but uses them to create the connection in our Authentication provider Auth0.

Finally, navigate to the Group Access page in JumpWire, and configure the Google Workspace OAuth connection under the SSO tab. Here's a direct link to the page.

You'll see abbreivated configuration details for the steps above. Scroll down until you see the form for submitting OAuth client information.

Enter in your Google Workspace domain - for example jumpwire.io. Also enter the OAuth client ID and client secret that you were given when creating the client in the Google Console above. Click "Save".

If successful, you will see a link displayed for the connection that was created. Have a Google admin, probably the same person who created the client, follow the link and authorize the JumpWire app. This is giving JumpWire the ability to get the user's group membership as part of the OAuth response.

Cheers!