Google Workspace

Capabilities overview

Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.

Google Workspace pricing page

Supported capability Required plan Details
Passwordless SSO Business starter Low SSO tax
Automated provisioning Business starter API (create, remove, update accounts)
Password manager Any Auto-fill / Auto-capture

Prerequisites

To configure SAML integration between Google Workspace and idemeum you will first need to get SAML XML metadata parameters for your tenant. You will need the following:

  • Identity Provider SSO URL
  • Public X509 certificate (download file in PEM format)

Instructions for how to obtain these values are below.

How to obtain SAML metadata for idemeum
SAML metadata is the data that describes the information needed to communicate with a SAML endpoint. For example, if Identity Provider (IDP) X wanted to allow Service Provider (SP) Y to request SAML responses, IdP X would share its metadata with SP Y and vice-versa. Each idemeum tenant has associate…

Passwordless Single Sign-On (SAML)

Configure SSO in Google Workspace

  • Click edit to create third-party SSO profile for your organization
Now you will be using SAML metadata parameters that you obtained in the prerequisites section
  • Enable checkbox for Set up SSO with third-party identity provider
  • For Sign-in page URL paste Identity Provider SSO URL that you obtained from prerequisites section
  • For Sign-out page URL paste https://accounts.google.com
  • Take Public X509 certificate (PEM format) that you downloaded from idemeum and upload to google admin console for Verification certificate
  • Enable Use a domain specific issuer
  • Save the configuration

Configure SSO in idemeum

  • Navigate to your idemeum admin portal at https://[your domain].idemeum.com/adminportal
  • Click Applications in the left menu
  • Search for Google Workspace application and click Add App
  • Click SAML at the top navigation menu
  • All you need to do is to enter your Google Workspace Domain
  • Click Save

License management

The simplest way to manage licenses is to automatically assign licenses to newly provisioned users.

  • Navigate to to Billing -> Subscriptions
  • Click on the subscription you want to assign to newly provisioned users
  • Make sure Auto assign is ON

Automated provisioning

  • Return to Google Workspace app configuration in idemeum. Navigate to app provisioning section.
  • Click Authorize to allow idemeum to provision into Google Workspace tenant.
  • There will be a new pop up where you will use oAuth to give idemeum permissions to provision user data.
  • Use your Google Workspace admin account to sign in and give permissions to provision into Google Workspace tenant. Allow idemeum all permissions requsted.
  • Click Save

SAML SSO login flows

Accessing as admin

When you access Google Workspace with your Super administrator account, SSO will be bypassed and admin will be able to login with user name and password.

To access your admin account navigate to https://admin.google.com.

Accessing as user

Google Workspace supports both:

  • IDP initiated flow
  • SP initiated flow

With IDP initiated flow users first navigate to idemeum user catalog and then click on Google Workspace icon to launch application.

With SP initiated flow users can navigate to each service directly by accessing https://[service].google.com/a/[domain]. For instance, to access Google Drive, users will need to replace service with drive and domain with actual domain - https://drive.google.com/a/idemeumdemo.com

Right after that users will be able to login with idemeum.