‭G-suite and SSO Application Configuration‬

‭ onfiguring‬‭Single Sign-On (SSO)‬‭for an application in‬‭Google Workspace‬‭(formerly G‬

C
‭Suite) involves setting up Google as the‬‭Identity‬‭Provider (IdP)‬‭and configuring the‬
‭application as a‬‭Service Provider (SP)‬‭. This allows‬‭users to authenticate once via Google‬
‭Workspace, and access third-party applications without needing to log in separately.‬

‭ he federation process involves‬‭Google Workspace‬‭sending‬‭a‬‭SAML (Security Assertion‬

T
‭Markup Language)‬‭assertion to the application to authenticate‬‭the user. The application,‬
‭acting as the SP, will validate the SAML assertion and grant access based on the‬
‭authenticated user’s identity.‬

‭Here’s how the entire SSO federation process works, step by step:‬

‭Step 1: Configure the Application for SSO in Google Workspace‬

‭1.‬ ‭Log in to Google Admin Console‬‭:‬

‭ ‬ ‭Sign in to your‬‭Google Admin Console‬‭using an administrator‬‭account.‬

○
‭2.‬ ‭Navigate to the Apps Section‬‭:‬

‭○‬ I‭n the Admin Console, click on‬‭Apps‬‭>‬‭Web and mobile‬‭apps‬‭>‬‭Add App‬‭>‬
‭Add custom SAML app‬‭.‬
‭3.‬ E
‭ nter Basic Information‬‭:‬

‭○‬ A ‭ pp Name‬‭: Give your application a descriptive name‬‭(e.g., “Salesforce”,‬

‭“Slack”).‬
‭○‬ ‭App Logo‬‭: You can upload a logo for the app if desired‬‭(optional).‬
‭4.‬ D
‭ ownload the IDP Metadata‬‭:‬

‭○‬ A ‭ fter entering the basic details, Google Workspace will provide a‬‭Download‬
‭metadata‬‭option. This metadata file contains important‬‭configuration details‬
‭for the application to trust Google Workspace as the IdP.‬
‭○‬ ‭You will need this metadata later when configuring the service provider (SP)‬
‭side of the application.‬

‭ tep 2: Configure the SAML Settings in the Application (Service‬

S
‭Provider)‬

‭ ext, you need to configure the third-party application (the Service Provider) to trust Google‬
N
‭as the Identity Provider.‬
 ‭1.‬ ‭Log in to the Application Admin Console‬‭:‬

‭○‬ S
‭ ign in to the admin interface of the third-party application (e.g., Salesforce,‬
‭Slack, etc.) that you want to enable SSO for.‬
‭2.‬ F
‭ ind SSO or SAML Settings‬‭:‬

‭○‬ L
‭ ook for a section that enables‬‭Single Sign-On (SSO)‬‭or‬‭SAML‬
‭authentication. This can usually be found under‬‭Security‬‭,‬‭Authentication‬‭, or‬
‭SSO Settings‬‭.‬
‭3.‬ U
‭ pload or Enter Google Workspace Metadata‬‭:‬

‭○‬ M ‭ ost third-party applications support‬‭SAML 2.0‬‭and‬‭will require the‬‭SAML‬

‭Metadata‬‭from Google Workspace.‬
‭○‬ ‭You can either upload the metadata file you downloaded from Google or‬
‭manually enter the following details from Google Workspace:‬
‭■‬ ‭SSO URL‬‭: This is the URL that the third-party application‬‭will use to‬
‭send SSO authentication requests to Google. It is found in the Google‬
‭Admin Console (Step 1).‬
‭■‬ ‭Entity ID‬‭: This is a unique identifier for your Google‬‭Workspace‬
‭instance, also found in the Google Admin Console.‬
‭■‬ ‭X.509 Certificate‬‭: This is used to verify the signature‬‭of the SAML‬
‭assertions sent by Google Workspace. You can download this from‬
‭the Google Admin Console as well.‬
‭4.‬ C
‭ onfigure Attribute Mapping‬‭:‬

‭○‬ I‭n most cases, the third-party application will need to know which SAML‬
‭attributes Google Workspace should send. The most common attributes are:‬
‭■‬ ‭Email address‬‭: Typically mapped to‬‭ NameID‬‭or‬‭
email‬ ‭.‬
‭■‬ ‭First Name‬‭,‬‭Last Name‬‭: These attributes are mapped‬‭to the user’s‬
‭first and last names.‬
‭■‬ ‭Roles or Groups‬‭: Some applications may need to map‬‭specific user‬
‭roles or groups in Google Workspace to roles in the third-party‬
‭application.‬
‭○‬ ‭Set up these mappings as needed. In some cases, the app will automatically‬
‭map them, but you may need to configure them manually in the application.‬
‭5.‬ S
‭ ave Settings‬‭:‬

‭○‬ O
‭ nce you’ve entered the metadata and configured the mappings, save the‬
‭SSO settings on the third-party app.‬

‭ tep 3: Set Up Google Workspace SAML App for the Service Provider‬
S
‭(SP)‬

‭ ow that the third-party application is ready to trust Google Workspace as an IdP, you need‬
N
‭to configure Google Workspace to send SAML assertions.‬
 ‭1.‬ ‭Open SAML App Settings in Google Admin Console‬‭:‬

‭○‬ I‭n Google Admin Console, navigate to‬‭Apps‬‭>‬‭Web and‬‭mobile apps‬‭and‬

‭locate the newly added app.‬
‭○‬ ‭Select the app and click on‬‭SAML Settings‬‭.‬
‭2.‬ P
‭ rovide SP Information‬‭:‬

‭○‬ I‭n the SAML configuration page, you need to provide the following details‬
‭from the third-party application:‬
‭■‬ ‭ACS URL (Assertion Consumer Service URL)‬‭: This is‬‭the URL to‬
‭which Google will send the SAML assertion after the user logs in. The‬
‭third-party application provides this URL in its SSO configuration‬
‭page.‬
‭■‬ ‭Entity ID‬‭: The unique identifier for the third-party‬‭app. This can also‬
‭be found in the SSO or SAML settings of the third-party application.‬
‭3.‬ C
‭ onfigure SAML Attributes‬‭:‬

‭○‬ C ‭ onfigure the attributes (e.g., email, first name, last name) that Google‬
‭Workspace will send in the SAML response. This typically involves mapping‬
‭Google user attributes‬‭to the appropriate attributes‬‭required by the‬
‭third-party application.‬
‭○‬ ‭For example:‬
‭■‬ ‭Email‬‭: Map the‬‭ primary email‬‭attribute from Google‬‭Workspace to‬
‭the‬‭email‬‭field of the third-party app.‬
‭■‬ ‭First Name‬‭: Map‬‭ givenName‬‭to the‬‭first name‬‭field.‬
familyName‬‭to the‬‭last name‬‭field.‬
‭■‬ ‭Last Name‬‭: Map‬‭

‭4.‬ ‭Enable SSO for Users‬‭:‬

‭○‬ O
‭ nce the app configuration is complete, you can assign the SAML app to‬
‭specific users or groups within Google Workspace. You can choose to enable‬
‭SSO for all users or limit it to specific organizational units or groups.‬

‭Step 4: Test the SSO Integration‬

‭Testing is a crucial step in ensuring that the SSO integration is working as expected.‬

‭1.‬ ‭Test User Access‬‭:‬

‭‬ H
○ ‭ ave a test user attempt to access the third-party application.‬
‭○‬ ‭When the user tries to access the application, they should be redirected to‬
‭Google’s login page (if not already logged in).‬
‭○‬ ‭After authentication, the user should be logged into the third-party application‬
‭automatically without needing to re-enter credentials.‬
 ‭2.‬ ‭Check for Errors‬‭:‬

‭○‬ I‭f there is an error during the login process, check the‬‭SAML Response‬‭in‬
‭your browser’s developer tools (Network tab) for details.‬
‭○‬ ‭Common issues may include incorrect mappings or missing attributes. Ensure‬
‭the ACS URL, Entity ID, and attribute mappings are correct in both the‬
‭Google Admin Console and the third-party app.‬

‭Step 5: Enable Multi-Factor Authentication (MFA) (Optional)‬

‭ or additional security, you can enable‬‭Multi-Factor‬‭Authentication (MFA)‬‭in Google‬

F
‭Workspace, so that users are required to authenticate with a second factor when accessing‬
‭SSO-enabled apps.‬

‭1.‬ ‭Enable MFA in Google Workspace‬‭:‬

‭○‬ I‭n the Google Admin Console, go to‬‭Security‬‭>‬‭2-Step‬‭Verification‬‭and‬

‭enable it for your domain or organizational unit.‬
‭2.‬ ‭Test MFA‬‭:‬

‭○‬ A
‭ fter enabling MFA, test the SSO login again. The user should first be‬
‭prompted for their Google Workspace credentials and then for a second‬
‭factor, such as a mobile app or security key.‬

‭Step 6: Monitor and Maintain the SSO Configuration‬

‭ nce everything is working, you should regularly monitor the SSO integration to ensure‬
O
‭continued functionality and security:‬

‭1.‬ ‭Review Audit Logs‬‭:‬

‭○‬ C
‭ heck the Google Admin Console for‬‭Audit Logs‬‭to track‬‭SSO-related‬
‭activities, such as successful and failed login attempts, and any changes to‬
‭the SSO configuration.‬
‭2.‬ U
‭ pdate Certificates and Metadata‬‭:‬

‭○‬ P
‭ eriodically check that the‬‭X.509 certificate‬‭used‬‭for signing SAML‬
‭assertions is still valid. Renew or replace certificates as needed.‬
‭3.‬ H
‭ andle User Lifecycle‬‭:‬

‭○‬ E
‭ nsure that user access is properly managed as employees join or leave the‬
‭organization. Deactivate users in Google Workspace to automatically revoke‬
‭access to federated applications.‬
‭Conclusion‬

‭ ederating‬‭Google Workspace‬‭with a third-party application‬‭for‬‭Single Sign-On (SSO)‬‭is a‬

F
‭powerful way to streamline user authentication and improve security. The process involves‬
‭configuring Google Workspace as the‬‭Identity Provider‬‭(IdP)‬‭and the third-party application‬
‭as the‬‭Service Provider (SP)‬‭, exchanging‬‭SAML assertions‬‭for authentication. Key steps‬
‭include setting up the application in Google Workspace, configuring the application to trust‬
‭Google, mapping attributes, and testing the integration. Optionally, enabling‬‭Multi-Factor‬
‭Authentication (MFA)‬‭can further secure access.‬

‭ y following these steps, you can ensure a seamless and secure login experience for your‬
B
‭users across all SSO-enabled applications.‬