5.3.7 Configure Google Workspace

  1. Login to the Google’s Administration console.

    NOTE:Sign in with an administrator account (doesn't end with gmail.com).

  2. Open the Security section.

  3. Expand Set up single sign-on (SSO).

  4. Enable Setup SSO with third party identity provider.

  5. Specify the following parameters:

    1. Sign-in page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/auth/saml2/sso. Replace AdvancedAuthenticationServerAddress with the domain name or IP address of your Advanced Authentication server.

    2. Sign-out page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/auth/app/logout.

    3. Change password URL: https://<AdvancedAuthenticationServerAddress> or Self-Service Password Reset URL.

    4. Upload the Identity Provider Certificate that you saved in Step 2.

  6. Clear Use a domain specific issuer if you have one domain in G Suite or select the option if you have more than one domain in G Suite.

    Ensure that you have a user account in a repository that corresponds to a user account in Google. An email address specified in the Contact information for the Google account must be the same as an address from email attribute for the corresponding account of your repository.

    NOTE:You cannot use the Google administrator account with SAML.

  7. Create a new text file and add the Service Provider metadata to it. Following is the sample metadata:

    <EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mycompany.com" /> </SPSSODescriptor> </EntityDescriptor>

    Replace mycompany.com in the Location URL to your primary domain from the Domains settings in Google.

    NOTE:You must use the Service Provider metadata when one domain exists in the G Workspace. If you have more than one domain in G Suite, then every Service Provider metadata for each domain must have google.com as an entityID replaced with google.com/mycompany.com, where mycompany.com is your domain name.

  8. Save the text file with a.xml extension.

  9. Continue with Generate and Send an Enrollment Link to Users.