This article will walk you through configuring Google Workspace to be your SAML Identity Provider within HelloID. This is useful if your organization uses Google Workspace as a primary source of authentication to access online services. This will allow your organization's users to log into HelloID and other cloud applications with their Google username and password.
Configure the Google IdP
- Log in to your Google Workspace admin console and select Apps.
- Select Web and mobile apps
- Go to Add app > Add custom SAML app
- Enter an App Name (e.g., HelloID) and click Continue.
- A screen will appear with the Google IdP information which is needed to set up the provider in HelloID. Minimize this browser tab.
- In the HelloID Administrator Dashboard, create a new certificate for the connection with Google Workspace.
- Go to Security > Authentication > Identity Providers and click Create Provider. This will bring up the Identity Provider Catalog.
- Find the SAML - Generic IdP and click the Add button next to it.
- Enter a Name. Turn on the Enable JIT toggle (just-in-time provisioning) if you would like new HelloID accounts to be automatically created the first time users log in via Google Workspace. When JIT is on, you do not need to manually create HelloID accounts in advance. Click on the Configuration tab.
- Enter the following values. All other fields may remain at their default value. View a complete configuration reference here.
- Login URL: Copy SSO URL from the Google IdP configuration, which you minimized in step 5.
- Request Certificate: Select the certificate that you created in step 6.
- Logout URL: https://accounts.google.com/logout
- Click Save to save the IdP configuration in HelloID. You may configure other optional settings on the Configuration tab as desired.
- Back in the browser tab with the Google SAML App, click Continue.
- Enter the following values in the Service Provider Details screen.
- ACS URL: the Consumer URL value from your newly-configured IdP object in HelloID
- Entity ID: the Issuer value from your newly-configured IdP object in HelloID
- Signed Response: Enable
- Name ID Format: Email
- Name ID: Basic Information > Primary email
- Click Continue.
- Click Add Mapping.
- Add the following mappings and click Finish.
- Basic Information > Primary email -> Email
- Basic Information > First name -> Firstname
- Basic information > Last name -> Lastname
- The SAML application for HelloID has been configured. Click Finish to continue.
- Expand the User Access pane.
- Select On for everyone and click Save.
- The configuration is finished. It can now be tested. Go to your HelloID portal and log in with the Google Workspace IdP. The login will be routed to Google.
- Once authenticated through Google, the user will be logged into HelloID with their Google account.
- As a final step, you may want to edit HelloID's user attribute mapping configuration. See Mapping - Overview and Edit a mapping set.