Skip to main content

Google Workspace SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for Google Workspace users with convenient MFA, and offers a simple SAML solution for adding MFA and single sign-on (SSO) to Google Workspace.

Prerequisites

  • Arculix account with a configured Identity Provider and LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • Google Workspace user account with administrative access.

  • User account with administrative privileges for Arculix.

Google Workspace configuration

In this section, you'll configure Google Workspace as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. Log in to your Google Workspace console.

    gsuite_admin_console.png
  3. In the left menu, go to Security > Authentication. Then, click SSO with third-party IdP.

    arculix_gsuite_sso_3rd_IdP.png
  4. Click ADD SAML PROFILE.

    arculix_gsuite_3rd_party_sso_profiles.png
  5. In the SAML SSO profile section, set the following:

    IdP entity ID URL

    Enter the IdP entity ID URL from the Arculix metadata.

    For example, https://sso.acceptto.com/<myorganization>/saml.

    Sign-in page URL

    Enter the Sign In URL from the Arculix metadata.

    For example, https://sso.acceptto.com/<myorganization>/saml/auth.

    Sign-out page URL

    Enter the Sign Out URL from the Arculix metadata.

    For example, https://sso.acceptto.com/<myorganization>/saml/logout.

    Verification certificate

    Click UPLOAD CERTIFICATE and select the certificate file downloaded earlier from the Arculix metadata.

    For example, https://sso.acceptto.com/<myorganization>/saml/download/cert.

    arculix_gsuite_saml_sso_profile_assignment.png
  6. Save your changes.

    Copy the Entity ID URL and ACS URL values; you will need these in the Arculix configuration.

    arculix_gsuite_entity_rl_values.png
  7. In the SSO with a third-party IdP section, select Manage SSO Profile Assignments then click Manage.

    arculix_gsuite_manage_sso_profiles_assignments.png
  8. Select the SSO profile you created and click Save.

    arculix_gsuite_sso_profile_assignment.png
  9. Click Domain Specific Service URLs.

    arculix_gsuite_domain_specific_service_urls_2.png
  10. Click the Automatically redirect users to third party IdP in the following SSO profile link and select the created profile in the next part.

    arculix_gsuite_domain_specific_service_urls_policy.png
  11. Click Save.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Google Workspace and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Google Workspace.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_gsuite_new_application_general.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID

    Enter the Issuer/EntityID of your Google Workspace instance.

    For example, https://accounts.google.com/samlrp/metadata?rpid=00000.

    Log in URL

    Enter the URL used by users to access the Google Workspace apps. This is the same as the Entity ID.

    For example, https://accounts.google.com/samlrp/metadata?rpid=00000.

    ACS URL

    Enter the URL containing the Assertion Consumer Service (ACS) metadata about your Google Workspace instance.

    For example, https://accounts.google.com/samlrp/metadata?rpid=00000.

    arculix_gsuite_saml_service_provider_configuration.png
  5. Save your changes.

Test your application integration

  1. Go to your Google App link.

    You will be redirected to the Arculix SSO page.

    Application login page with email
  2. After successful authentication, select your preferred MFA method to approve access to the Google Workspace application.

    Select MFA method
  3. You are redirected to your Google app landing page.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.