Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Mist AI
Cloud SecurityNetwork Access Control
Cloud Security Juniper Mist Access Assurance Guide Identity Provider Integration

Juniper Mist Access Assurance Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper Mist Access Assurance Guide
Table of Contents Expand all
list Table of Contents

Integrate Google Workspace as an Identity Provider

date_range 14-Mar-25
arrow_backward
arrow_forward

Follow these steps to add Mist as a client in your Google Workspace portal, download your certificate, and add your Identity Provider to your Juniper Mist organization.

Juniper Mist Access Assurance allows you to integrate with Google Workspace as Identity Provider (IdP) to leverage secure Lightweight Directory Access Protocol over SSL (LDAPS) connector for the following use cases:

  • For certificate-based (EAP-TLS or EAP-TTLS) authorization:
    • Retrieves user group membership information to support authentication policies based on this user identity
    • Gets the status—active or suspended—of an user account

  • EAP-TTLS with PAP

    • Checks the username and password for authentication with Google’s Identity Provider

Configuration on Google Workspace

The following procedure shows you how to configure Google Workspace as an identity provider (IdP) with Juniper Mist.

  1. Log in to your Google Workspace portal by using your Google administrator credentials.

    The Google Admin dashboard appears.

  2. Create an LDAP client.
    1. From the Google Admin console, on the left-navigation bar, go to Apps > LDAP and click Add Client.
    2. Provide an LDAP client name and an optional Description and click Continue.

      The Access permissions page is displayed after adding the LDAP client.

  3. Configure Access Permission for verifying user credentials.

    The following options are available:

    • Verify user credentials—Allows user credential authentication using EAP-TTLS/PAP. This setting specifies which organizational groups the LDAP client can access to verify the user’s credentials.
    • Read user Information—Allows you to read basic user information. This setting specifies which organizational units and groups the LDAP client can access to retrieve additional user information.
    1. Select Entire domain for both the options if no specific organization is required.
    2. Scroll down to Read group information. This setting specifies whether the LDAP client can read group details and check a user’s group memberships.

      After you finish configuring access permissions and added LDAP client, the certificate is generated automatically on the same page.

  4. Download the generated LDAPS client certificate.
    1. Click Download certificate and save the downloaded certificate in a secure place. You'll need this certificate when you set up an IdP on the Juniper Mist portal.
    2. Click Continue to Client Details.

      The Settings for <LDAP client name> page appears.

    3. Expand the Authentication section.
    4. Under Access Credentials, click Generate New Credentials.

      You can view the username and password on the Access credentials page.

      Copy and save the username and password. You need these details for the LDAPS client configuration on the Juniper Mist cloud portal.

  5. Enable the LDAP client service by changing the service status to On for the LDAP client. This step enables you to set up a client with the Secure LDAP service.
    1. From the Google Admin console, go to Apps > LDAP. Select your client and click Service Status.

      The service status, displayed at the top right of the page, is initially set as OFF.

      Select On for everyone to turn on the service. Allow some time for the changes to apply on the Google side.

Configuration on Juniper Mist Dashboard

  1. From the left menu of the Juniper Mist portal, select Organization > Access > Identity Providers.

    The Identity Providers page displays any configured identity providers.

    Figure 1: Identity Providers Page Identity Providers Page
  2. Click Add IDP to add a new IdP.
  3. On the New Identity Provider page, enter the required information to integrate with Google Workspace.
    Figure 2: Update Identity Provider Details Update Identity Provider Details

    Now configure the LDAPS connector to integrate with the Google Workspace LDAP endpoint.

    • Name—Enter an IdP name. (In this example, enter Google Workspace.)
    • IDP Type—Select LDAPS.
    • LDAP Type—Select Custom.
    • Group Filter—Select memberOf. This option is required to obtain group memberships from Group attribute.
    • Member Filter—Select memberOf.
    • User Filter—Enter (mail=%s).
    • Server Hosts—Enter ldap.google.com.
    • Domain Names—Enter your Google Workspace domain name. For example: abc.com.
    • Bind DN—Use the username provided by Google in the previous step.
    • Bind Password—Enter the password for the above username.
    • Base DN—Configure your base dn matching your Google Workspace domain. For example, if your domain is abc.com, then your base DN is dc=abc,dc=com.
  4. In the CA Certificates section, click Add Certificate and paste the following two certificates:
    Figure 3: Add CA Certificate Add CA Certificate
    content_copy zoom_out_map
    -----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
  5. Under Client Certificate, add a client certificate you downloaded from Google. Place the file ending with .key under Private Key, and the file ending with .crt under Signed Certificate as shown in the following sample:
    Figure 4: Add Client Certificate Add Client Certificate

    Click Save.

On the Juniper Mist portal, go to Monitoring > Insights > Client Events.

When a user authenticates using EAP-TTLS , you can see the NAC IDP Authentication Success and NAC IDP Group Lookup Success events that fetch user group membership information.

When a user authenticates using EAP-TTS with Google Workspace, you can see the event NAC IDP Group Lookup Success that fetches user group membership information.
Figure 5: IDP Group Lookup Success Authentication Event IDP Group Lookup Success Authentication Event

In case of EAP-TTLS authentication, you can see the NAC IDP Authentication Success event. This event indicates that Google Workspace has validated user credentials.

Figure 6: IDP Authentication Success Event IDP Authentication Success Event

You may leverage IDP Roles from Google Workspace in your Auth policy rules to perform network segmentation based on user roles.

About EAP-TTLS and Azure AD using ROPC

Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) leverages LDAPS OAuth flow with Azure AD to perform user authentication. This implies the use of legacy authentication, which involves the use of a username and password without MFA. There are several factors to consider when employing this method:

  • Configure client devices with the correct Wi-Fi profile, either from GPO or MDM. Providing only username and password at the login prompt does not work for some operating systems.
  • Users must use Google Email ID (username@domain) username format for entering the username.
  • Configure clients to trust server certificate. See Use Digital Certificates.

See Also

arrow_backward PREVIOUS Integrate Okta as an Identity Provider
NEXT arrow_forward Integrate Microsoft Entra ID as an Identity Provider
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
Integrate Google Workspace as an Identity Provider
keyboard_arrow_right
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top

keyboard_arrow_down
file_download
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
language