Capabilities overview
Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
Supported capability | Required plan | Details |
---|---|---|
Passwordless SSO | Business starter | Low SSO tax |
Automated provisioning | Business starter | API (create, remove, update accounts) |
Password manager | Any | Auto-fill / Auto-capture |
Prerequisites
To configure SAML integration between Google Workspace and idemeum you will first need to get SAML XML metadata parameters for your tenant. You will need the following:
- Identity Provider SSO URL
- Public X509 certificate (download file in PEM format)
Instructions for how to obtain these values are below.
Passwordless Single Sign-On (SAML)
Configure SSO in Google Workspace
- Login to Google Workspace admin console
- Navigate to Security -> Authentication -> SSO with 3rd party IDP
- Click edit to create third-party SSO profile for your organization
Now you will be using SAML metadata parameters that you obtained in the prerequisites section
- Enable checkbox for Set up SSO with third-party identity provider
- For Sign-in page URL paste Identity Provider SSO URL that you obtained from prerequisites section
- For Sign-out page URL paste https://accounts.google.com
- Take Public X509 certificate (PEM format) that you downloaded from idemeum and upload to google admin console for Verification certificate
- Enable Use a domain specific issuer
- Save the configuration
Configure SSO in idemeum
- Navigate to your idemeum admin portal at https://[your domain].idemeum.com/adminportal
- Click Applications in the left menu
- Search for Google Workspace application and click Add App
- Click SAML at the top navigation menu
- All you need to do is to enter your Google Workspace Domain
- Click Save
License management
The simplest way to manage licenses is to automatically assign licenses to newly provisioned users.
- Navigate to to Billing -> Subscriptions
- Click on the subscription you want to assign to newly provisioned users
- Make sure Auto assign is ON
Automated provisioning
- Return to Google Workspace app configuration in idemeum. Navigate to app provisioning section.
- Click Authorize to allow idemeum to provision into Google Workspace tenant.
- There will be a new pop up where you will use oAuth to give idemeum permissions to provision user data.
- Use your Google Workspace admin account to sign in and give permissions to provision into Google Workspace tenant. Allow idemeum all permissions requsted.
- Click Save
SAML SSO login flows
Accessing as admin
When you access Google Workspace with your Super administrator account, SSO will be bypassed and admin will be able to login with user name and password.
To access your admin account navigate to https://admin.google.com.
Accessing as user
Google Workspace supports both:
- IDP initiated flow
- SP initiated flow
With IDP initiated flow users first navigate to idemeum user catalog and then click on Google Workspace icon to launch application.
With SP initiated flow users can navigate to each service directly by accessing https://[service].google.com/a/[domain]. For instance, to access Google Drive, users will need to replace service with drive and domain with actual domain - https://drive.google.com/a/idemeumdemo.com
Right after that users will be able to login with idemeum.