Introduction
This guide will lead you through creating an SSO connection between HelloID and Google GSuite / Google Apps.
Requirements:
- HelloID Environment
- GSuite Environment
Things to Know
- Single Sign-On for Google GSutie can only be applied to all users or none of them. Super Administrators are the exception, and are exempt from the requirements to use SSO once it is enabled.
- Any service or generic accounts you use in Google GSuite will need to be able to use HelloID as well, otherwise they will not be able to log in unless they are Super Administrators.
Create or Import a Certificate
In order to secure communications between HelloID and the service provider, a certificate must be imported or created. This can be done in the HelloID Administrator Dashboard under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.
In the Certificates overview, go to the Details page of your the created/imported certificate and download the certificate for use in the Google Apps configuration. Save it somewhere on your computer.
Add the GSuite Application
- Create a new application in HelloID by navigating to Applications > Applications.
- Open the Application Catalog and search for "GSuite". Find the Google GSuite SAML template, and click Add. Learn more about managing applications here.
- On the General tab of the new application wizard, update the Default Login URL by replacing {yourGoogleDomain} with your organization's GSuite domain name. You may optionally customize the icon and description. Click Next to continue.
- On the Single Sign On tab, update the following form fields and click Next.
- Issuer: Enter the URL of your HelloID portal. E.g., https://companyname.helloid.com
- Endpoint URL: Replace {yourGoogleDomain} with your organization's GSuite domain name.
- X509 Certificate: Select the self-signed certificate created at start of this guide
- On the Credential tab, select Credentials are configured by admin. The settings for NameID and Password will be based on whether or not users are logging in with QR codes or not. Learn more about application credentials here.
- Users log in with QR codes:
- Name ID: User's contact email
- Password: Custom value
- {{user.login.password}}{{user.attributes.qr}}
- {{user.login.password}}{{user.attributes.qr}}
- Users do not log in with QR codes:
- NameID: User's contact email
- Password: Password is the same as user's password
- Users log in with QR codes:
- On the Self Service tab, leave all settings at their default and click Next to continue.
- On the Finish tab, click Save to add the application to HelloID.
Application Metadata & Additional Configuration
- After saving the GSuite application, click its Edit link on the applications overview. This will bring you to its properties page.
- Click the Download metadata button. This will start a download of an XML file which we will need in later steps.
- Scroll down the page and enable Hide Application. Click Save when you are finished.
Why am I hiding the application?
Some Service providers, such as GSuite, are host to a number of different applications or "endpoints". Instead of having users navigate directly to the GSuite application, you will provide users with shortcuts to GSuite's various endpoints, such as Gmail and Drive, which will be routed through the GSuite service provider application you are now hiding.
Open the downloaded metadata file in a browser and copy the SingleSignOnService location.
GSuite Configuration
- Log on to your organization's GSuite management portal and navigate to Security.
- On the Security page select Set up single sign-on (SSO).
- Enable Setup SSO with third party identity provider and enter the following information and click Save.
- Sign-in page URL: Paste the SingleSignOnService URL that you copied from the metadata.
- Sign-out page URL: Enter https://accounts.google.com/Logout
- Change password URL (optional): Enter the URL of your password reset manager. For example, SSRPM.
- Verification Certificate: Upload the certificate created at the start of this guide.
The SAML connection is now configured. The next step is to add the shortcuts to the Google products.
Add Product Shortcuts
- On the HelloID Administrator Dashboard, navigate to Applications > Applications. Open the Application Catalog and search for "Google". Find the desired Google product and click its Add button.
- On the General tab of the shortcut's wizard, update the Default Login URL setting by replacing {company domain} with your organization's GSuite domain name. You may optionally update the display name, description, and icon of the shortcut. Click Save when you are finished.
Repeat the steps of this section for the rest of the application shortcuts you wish to publish.
Test the Integration
After you have finished adding product shortcuts, authorized users will see additional icons on their HelloID User Dashboard. When they click on a shortcut, they will be authenticated to Google with the credentials stored in the attribute you specified on the GSuite application. If any users are not able to access their Google products, double check that they have the requisite information in the chosen attribute.