Skip to main content

HelloID

Google Workspace SAML application setup

Follow these instructions to set up HelloID and Google Workspace / Google Apps for single sign-on using the SAML protocol.

Tip

For more information about managing applications, see Applications.

Requirements
  • Google Workspace environment

Notes
  • Single sign-on for Google Workspace can only be applied to all users or none of them. Super Administrators are the exception, and are exempt from the requirements to use SSO once it is enabled.

  • Any service or generic accounts you use in Google Workspace will need to be able to use HelloID as well, otherwise they will not be able to log in unless they are Super Administrators.

Step 1: Add a certificate
  1. Go to Settings > Certificates.

  2. Click Create Self-Signed Certificate.

  3. Set the following fields:

    1. Name Of Certificate: GoogleWorkspaceSelfSigned

    2. Common Name (Domain): <yourcustomerid>.helloid.com

    3. All other fields: set according to your organization's requirements.

  4. Click Save.

  5. Export the certificate you just created in .CER format. See Export a certificate.

Step 2: Add the application
  1. Go to Applications > Applications.

  2. Click Open Application Catalog.

    2022-10-10_12-38-12.jpg
  3. Search for the Google GSuite (SAML) template, and click Add.

    2023-04-13_14-02-15.jpg
Step 3: Application setup

Tip

For details on all available fields, see the Application settings reference.

  1. On the General tab, set the following fields:

    Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-08-23_13-42-28.jpeg
    Default Login URL

    Your organization's Google Workspace domain name, in the format: https://accounts.google.com/a/{yourGoogleDomain}/acs

  2. Click Next.

  3. On the Single Sign On tab, set the following fields:

    Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-08-23_13-43-53.jpeg
    Issuer

    Enter your HelloID domain in the format https://{customer}.helloid.com.

    Endpoint URL

    Your organization's Google Workspace domain name, in the format: https://accounts.google.com/a/{yourGoogleDomain}/acs

    X509 Certificate

    Select the GoogleWorkspaceSelfSigned certificate that you previously created.

  4. Click Next.

  5. On the Credential tab, select Credentials Are Configured By Admin. The settings for the NameID and Password depend on whether users are logging in with QR codes.

    • Users log in with QR codes:

      Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-09-15_14-19-50.jpeg
      • Name ID: User's contact email

      • Password: Enter custom value

        • {{user.login.password}}{{user.attributes.qr}}

    • Users do not log in with QR codes:

      Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-09-15_14-11-17.jpeg
      • Name ID: User's contact email

      • Password: Enter custom value

        • {{user.login.password}}

  6. Click Next.

  7. Optional: On the Self Service tab, choose whether to generate a product (see Products) for users to request this application. If you do, select the Group that will be linked to the product.

  8. Click Next.

  9. On the Finish tab, click Save.

Step 4: Post-setup configuration
HelloID side
  1. Get the application's metadata.

    1. Go to Applications > Applications and click Edit for this application.

    2. Right-click Download Metadata and click Copy Link Address.

      Example 1. SAML Metadata

      https://enyoi.helloid.com/metadata/download?ApplicationGUID=c277185a-cd1f-451c-8068-c751ed85a028

      2023-03-23_11-46-21.jpg


    3. Open the metadata URL in a browser and copy the SingleSignOnService HTTP-POST location to a local text file. It will resemble: https://t4e-seattle-159.helloid.com/relayservice/redirect/c46bfd46-c569-4274-bd6e-031b9c021423.

      Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__SingleSignOnService_HTTP-POST.jpeg
  2. Enable Hide Application.

    Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-08-23_14-13-25.jpeg

    Tip

    Why am I hiding the application?

    Some service providers, including Google Workspace, have a number of different applications or "endpoints". Instead of having users navigate directly to the main Google Workspace application, you will provide users with shortcuts to the various endpoints, such as Gmail and Drive. They are indirectly routed through the primary service provider application that you have hidden. We will configure this below.

  3. Click Save.

SP side
  1. Log on to your organization's Google Workspace Admin Console and go to Security > Authentication > SSO with third-party IdP.

  2. In the Third-party SSO profile for your organization pane, click Edit.

  3. Enter the following information and click Save.

    Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-08-23_14-10-11.jpeg
    • Set up SSO with third-party identity provider: Enable

    • Sign-in page URL: Paste the SingleSignOnService URL that you copied from the application metadata.

    • Sign-out page URL: Enter https://{yourdomain}.helloid.com/authentication/signoff.

    • Verification Certificate: Upload the .CER certificate you exported earlier.

    • Change password URL (optional): Enter the URL of your password reset manager. For example, SSRPM.

Step 5: Add product shortcuts

The SAML connection is now configured. The next step is to add shortcuts to the Google products.

  1. Go to Applications > Applications.

  2. Click Open Application Catalog.

  3. Search for Google and click Add for the first Google App you want to create a shortcut for. For example, Google Drive.

    Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-08-23_14-11-35.jpeg
  4. On the General tab, replace {company domain} in the Default Login URL with your organization's Google Workspace domain name.

    Google_Workspace_SAML_Single_Sign-On__SSO__Configuration__115002948893__2022-08-23_14-12-16.jpeg
  5. Click Save.

  6. Repeat steps (1) - (5) for any other Google App product shortcuts you want to create.

After you have finished adding product shortcuts, authorized users will see the shortcuts in Applications for users. When they launch an application, they will be authenticated to Google with the credentials stored in the attribute you specified on the Google Workspace application. If any users are not able to access their Google products, double check that they have the required information in the chosen attribute.

Step 6: Test the application
  • Using a HelloID account that has access to these application shortcuts, go to Applications for users on the user dashboard, and launch the application to test it.

Step 7: Finish up

The application has been added to HelloID, and a trust has been configured. You may now want to do the following: