How to Configure SAML on Google Workspace
This document explains the steps of integrating the Google Workspace identity provider with the platform over SAML to log in to the platform by using your Google Workspace email account.
Google Workspace Settings
Please follow the steps below to set up SAML settings correctly on the Google Workspace side.
Log in to Google Workspace with a privileged account that can create applications.
Go to the Directory > Users > More Options > Manage custom attributes menu from the main dashboard.
Click on Add Custom Attributes and add the following attribute.
Category: SAMLRole
Description: Add a description to the custom attribute for your reference.
Under "Custom Fields" header
Name: spRole
Info Type: Text
Visibility: Visible to the organization
No. Of Values: Single value
You can set a role name for specific users. To do that:
Go to the Users page and click on the selected user.
Click the User Information page.
Scroll down to find spRole. You can click on it and set custom SAML role name such as Company Admin, Reseller or if you created a custom role on the platform, you can define the role name to here as well.
If a value is not set to spRole such as Company Admin, the system will assign the default role for the user after login to the platform that admin is specified on the platform SAML settings. You may also skip this step for now and then revisit it if needed.
Now, go to Dashboard > Apps > Web and mobile apps > Add App > Add custom SAML app and then follow the steps below.
Name: Write SAML name.
Click the Continue button.
Click the Download Metadata button and then click the Continue button.
ACS URL: Please login to the platform and go to Company > Company Settings > SAML Settings > click + NEW and then see the "SSO Sign-in URL" field at the bottom of the page. Please write the related URL on Google's ACS URL page.
Entity ID: Please login to the platform and go to Company > Company Settings > SAML Settings > click + NEW and then see the "Idp Entity ID" field at the bottom of the page. Please write the related URL on Google's Entity ID page.
Click the Continue button.
Add the following attributes by clicking the ADD MAPPING button.
Primary Email > email
First name > firstName
Name Last name > lastName
Phone number > phoneNumber
spRole > spRole
Click the Finish button.
Go to the SAML app settings that is created and then click on User Access.
If you want everyone in the organization to be able to log in to the platform, enable the ‘On for everyone’ option.
If you want a few users in the organization to be able to log in to the platform, you can make a group of those users and assign the group to the SAML app.
Platform Settings
Log in to the platform with the privileged user who can access the SAML settings on the platform and then follows up on the document here to fill up the required fields.
Please follow the steps below to set up SAML settings correctly on the platform.
Log in to the platform with a privileged user who can access SAML settings.
From the left menu, under Company heading, click on Company Settings -> SAML Settings.
Click on the “Create your first SAML configuration” button in the middle of the page.
Then, fill in the following details when the "New SAML Configuration" field is opened.
SAML Name: Enter a name for SAML setting.
Allowed Domains: Enter the domain name that the admin will be using to log in to the platform. The platform will recognize the user with the domain and redirect to the SSO authentication.
SAML Configuration For Keepnet Labs: By clicking the "Upload Metadata" button under this field and then uploading the Google Workspace metadata file to the platform. According to the information in the metadata, the "Issuer URL of the IdP", "IdP SSO URL" and "IdP Certificate" fields will be filled automatically.
Default Role: Assing a default role to the users who will log in to the platform. If this option is not enabled, the user must have the ‘spRole’ attribute configured in the Google Workspace with the correct system role name to log in to the platform.
How to Test SAML Configuration
Check whether the configuration works or not by following the steps below.
Make sure the admin who will log in to the platform over SAML is created in the platform under the Company > System Users page.
Go to the login page of the platform.
Enter the email address. The email domain must be the one that is defined in the SAML settings.
The platform will redirect you to the Google Workspace SSO page to authenticate.
Video Tutorial
This video tutorial shows the above documentation steps for integrating the Google Workspace identity provider with the platform over SAML to log in to the platform by using your Google Workspace email account.
Last updated