Pricing

Articles in this section

See more

Google Workspace SAML Single Sign-On (SSO) Configuration

  • Updated:

Introduction

This article demonstrates how to set up HelloID and Google Workspace / Google Apps for single sign-on using the SAML protocol.

Requirements

  • HelloID environment
  • Google Workspace environment

Notes

  • Single sign-on for Google Workspace can only be applied to all users or none of them. Super Administrators are the exception, and are exempt from the requirements to use SSO once it is enabled.
  • Any service or generic accounts you use in Google Workspace will need to be able to use HelloID as well, otherwise they will not be able to log in unless they are Super Administrators.

Create or Import a Certificate

If there is no certificate yet, you must create or import one. For this tutorial, we will create a self-signed certificate. Name it GoogleWorkspaceSelfSigned. Download it in .CER format.

Application setup

Add the Google GSuite application

  1. Add a new application.
  2. Find the template for Google GSuite (SAML).
  3. Select its Add button.

2022-08-23_13-38-36.jpg

General tab

Change the following settings:

  • Default Login URL
    Customize with your organization's Google Workspace domain name, in the format: https://accounts.google.com/a/{yourGoogleDomain}/acs

2022-08-23_13-42-28.jpg

Select the Next button.

Single Sign-On tab

Change the following settings:

  • Issuer
    Enter your HelloID domain in the format https://{customer}.helloid.com.
  • Endpoint URL
    Copy and paste the Default Login URL from the General tab.
  • X509 Certificate
    Select the GoogleWorkspaceSelfSigned certificate that you previously imported or created.

2022-08-23_13-43-53.jpg

Credential tab

Select Credentials are configured by admin. The settings for the NameID and Password depend on whether users are logging in with QR codes. Learn more about application credentials here.

    • Users log in with QR codes:
      • Name ID: User's contact email
      • Password: Enter custom value
        • {{user.login.password}}{{user.attributes.qr}}
          2022-09-15_14-19-50.jpg
    • Users do not log in with QR codes:
      • Name ID: User's contact email
      • Password: Enter custom value
        • {{user.login.password}}2022-09-15_14-11-17.jpg

Select the Next button.

Self Service tab

Optionally, generate a Self Service product, which makes the application requestable. Select a group which will have access to the product. 

Select the Next button.

Finish tab

Select the Save button to add the application to HelloID.

Additional configuration

Retrieve application metadata

  1. Go to the Applications overview.
  2. Select the Edit link for the newly-added Google Workspace application.
  3. Right-click the Download metadata button
  4. Select Copy link address. It will resemble: https://t4e-seattle-159.helloid.com/metadata/download?ApplicationGUID=3eb6216e-8c04-4cec-bfff-264e93508018. You will need this shortly.
    mceclip0.png
  5. Open the metadata URL in a browser and copy the SingleSignOnService HTTP-POST location. It will resemble: https://t4e-seattle-159.helloid.com/relayservice/redirect/c46bfd46-c569-4274-bd6e-031b9c021423
    SingleSignOnService_HTTP-POST.jpg
  6. Scroll down the page and enable Hide Application. Click Save when you are finished.
    2022-08-23_14-13-25.jpg
  7. Select the Save button.

Why am I hiding the application?

Some service providers, including Google Workspace, have a number of different applications or "endpoints". Instead of having users navigate directly to the main Google Workspace application, you will provide users with shortcuts to the various endpoints, such as Gmail and Drive. They are indirectly routed through the primary service provider application that you have hidden. We will configure this in the Add product shortcuts section, below.

Google Workspace configuration

  1. Log on to your organization's Google Workspace admin console and go to Security > Authentication > SSO with third-party IdP.2022-08-23_14-04-33.jpg
  2. Select the edit button for the Third-party SSO profile for your organization pane.
  3. Enter the following information and click Save.
    2022-08-23_14-10-11.jpg
    • Set up SSO with third-party identity provider
      Enable
    • Sign-in page URL
      Paste the SingleSignOnService URL that you copied from the application metadata.
    • Sign-out page URL
      Enter https://{yourdomain}.helloid.com/authentication/signoff.
    • Verification Certificate
      Upload the certificate created at the start of this guide.
    • Change password URL (optional)
      Enter the URL of your password reset manager. For example, SSRPM.

The SAML connection is now configured. The next step is to add shortcuts to the Google products.

Add product shortcuts

  1. Add a new application.
  2. Search for "Google".
  3. Select the Add button for the relevant product.
    2022-08-23_14-11-35.jpg
  4. On the General tab, replace {company domain} in the Default Login URL with your organization's Google Workspace domain name.
    2022-08-23_14-12-16.jpg
  5. Select the Save button.

Repeat these steps for any other Google product shortcuts you want to create.

Finish up

After you have finished adding product shortcuts, authorized users will see the applications on their HelloID User Dashboard. When they launch an application, they will be authenticated to Google with the credentials stored in the attribute you specified on the Google Workspace application. If any users are not able to access their Google products, double check that they have the required information in the chosen attribute.

You are now free to assign the product shortcuts to users within your organization. See Applications - Overview and its related articles for more information.

Was this article helpful?
0 out of 0 found this helpful
Please visit our website for more information about HelloID (identity as a service).
Return to top