Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Google Workspace as an Identity Provider

To integrate Google Workspace with Juniper Mist, create an LDAP client in the Google Admin Console and then add it as an Identity Provider in your Juniper Mist organization.

About Google Workspace Integrations

Google Workspace leverages secure Lightweight Directory Access Protocol over SSL (LDAPS) connector for the following use cases:

  • For certificate-based (EAP-TLS or EAP-TTLS) authorization:
    • Retrieves user group membership information to support authentication policies based on this user identity
    • Gets the status—active or suspended—of an user account

  • EAP-TTLS with PAP

    • Checks the username and password for authentication with Google’s Identity Provider

Preparations in the Google Admin Console

Before you can integrate Google Workspace with Juniper Mist, you need to go to your Google Admin Console and create an LDAP client for Juniper Mist Access Assurance connector. Use the following tips to configure your LDAP client with the appropriate settings.

Note:

As a Google admin, refer to Google resources if you need step-by-step help. For example, consider using this Google help topic: https://support.google.com/a/answer/9048434. (This link is provided as a suggestion only. Search and browse through your Google documentation as needed.)

Tips for Your Google Admin LDAP Client

  • When adding your LDAP client, give it a descriptive name that you can later incorporate into the IdP name in your Juniper Mist organization.

  • In the access permissions for your LDAP client:

    • Verify user credentials—Entire domain

    • Read user information—Entire domain

    • Read group information—On

  • Download the LDAPS client certificate, and save it so that you can use it later in this procedure.

  • In the Client Details:

    • Authentication—Generate access credentials, and copy the username and password so that you can use these values later in this procedure.

    • Service Status—Set to On for everyone.

Add Your LDAP Client as an Identity Provider in Juniper Mist

Before You Begin

You must have an Juniper Mist admin account with the Super User role.

You'll need the following information from the Google Admin Console:

  • The certificate files that you downloaded for your LDAP client

    You'll have one file ending with KEY extension and one file with a CRT extension.

  • The username and password that you copied when you generated your LDAP client credentials

To add your LDAP Client as an Identity Provider in Juniper Mist:

  1. From the left menu of the Juniper Mist portal, select Organization > Access > Identity Providers.

    The Identity Providers page displays any configured identity providers.

  2. Click Add IDP, near the top-right corner of the page.
  3. In the Configuration section of the New Identity Provider page, enter the following settings.
    Table 1: Juniper Mist IdP Settings for a Google Workspace Integration
    Field Description
    Name Enter a descriptive name to identify this IdP. You might find it helpful to incorporate the words Google Workspace and the name that you used as the name of the LDAP client in the Google Admin Console. Example: Google-Workspace-MyMistLDAPclient
    IDP Type Select LDAPS.
    LDAP Type Select Custom.
    Group Filter Enter: memberOf

    This option is required to obtain group memberships from Group attribute.
    Member Filter Enter: memberOf
    User Filter Enter: (mail=%s)
    Server Hosts Enter: ldap.google.com
    Domain Names Enter your Google Workspace domain name. For example: abc.com.
    Bind DN Enter the username that you copied after you generated the LDAP client access credentials in Google Workspace.
    Bind Password Enter the password that you copied after you generated the LDAP client access credentials in Google Workspace.
    Base DN For example, if you entered abc.com in the Domain Name field, then your base DN is: dc=abc,dc=com
  4. In the Client Certificate section of the page:
    1. Click Add Certificate.
    2. On your device, open the certificate files that you downloaded from Google Admin Console.
    3. Copy the full text of the KEY file, and paste it into the Private Key field.
    4. Copy the full text of the KEY file, and paste it into the Signed Certificate field.
    5. Click Save at the bottom of the certificate window.
  5. In the CA Certificate section of the page:
    1. Copy the text shown below, and paste it in the Signed Certificate field.
    2. Click Save at the bottom of the certificate window.
  6. Click Save at the top-right corner of the New Identity Provider page.
After setting up a new integration, you should make some test connections and verify that everything is working as expected. See Verify a New Integration.

About EAP-TTLS and Azure AD using ROPC

Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) leverages LDAPS OAuth flow with Azure AD to perform user authentication. This implies the use of legacy authentication, which involves the use of a username and password without MFA. There are several factors to consider when employing this method:

  • Configure client devices with the correct Wi-Fi profile, either from GPO or MDM. Providing only username and password at the login prompt does not work for some operating systems.
  • Users must use Google Email ID (username@domain) username format for entering the username.
  • Configure clients to trust server certificate. See Use Digital Certificates.