Setting Up the SAML Connection
You’ll need to complete the initial setup in Iru Endpoint first to get the configuration information required for Google Workspace. After copying the Entity ID and ACS URL, switch to the Google Workspace Configuration tab to continue.
Navigate to the Account Menu Button
In Iru Endpoint, in the sidebar, click the Account Menu Button.
Access Authentication Settings
Click the Access option in the menu. Select Admin and Authentication
Select the Admin and authentication tab (selected by default) and scroll down to Authentication methods.
Add Authentication Method
Click + Authentication method.
Enter Display Name
Enter a display name for the SSO Connection.
Select Authentication Method
Select SAML for the Authentication method.
Create Connection
Click Create.
Configuration Information
Click Configuration information if that section is not already expanded.
Copy Service Provider Entity ID
Copy the Service provider entity ID into a text document for later use. You’ll need this for the Google Workspace configuration.
Copy ACS URL
Copy the Assertion consumer service (ACS) URL into a text document for later use. You’ll need this for the Google Workspace configuration. Keep Tab Open
Keep the Iru Endpoint configuration modal open, then switch to the Google Workspace Configuration tab to continue.
Configuring Iru Endpoint SAML Connection
After completing the Google Workspace configuration, return here to finish setting up the SAML connection in Iru Endpoint. You’ll need the SSO URL, Entity ID, and certificate from Google Workspace.
Return to Iru Endpoint
Go back to the Custom SAML modal in Iru Endpoint.
User Matching
Scroll down to User Matching section.
Set IdP Attribute
Set IdP attribute to Attribute.
Set Attribute Name
Set Attribute name to email.
Set User Attribute
Set User attribute to User Principal Name (UPN). Identify Provider
Scroll down to Identity provider section.
Add IdP Entity ID
Paste the Entity ID you copied from Google Workspace into the IdP Entity ID field.
Add IdP Single Sign-in URL
Paste in the IdP Single Sign-in URL you copied from Google Workspace.
Upload Certificate
Upload the certificate you downloaded from Google Workspace. Request Configuration
Scroll down to Request Configuration section.
Set Request Binding
Set the Request Binding to HTTP-POST.
Set Signature Request Algorithm
Ensure that the Request Signature Algorithm is set to RSA-SHA256.
Set Request Digest Algorithm
Ensure that Sign Request Algorithm Digest is set to SHA256.
Enable Sign SAML Authentication Request
Ensure that Sign SAML Authentication Request is enabled. Response Validation
Scroll down to Response Validation section.
Set Response Signature Verification
Set Response Signature Verification to Response.
Set Destination
Leave the optional Destination blank.
Set Allowed Signature Algorithm
Set Allowed Signature Algorithm to RSA-SHA256.
Set Allowed Digest Algorithm
Set Allowed Digest Algorithm to SHA256.
Allow for Tenant Authentication
Once you have configured the SAML connection in Iru Endpoint and your identity provider, you can allow its use for tenant authentication. For step-by-step instructions, please refer to the Allowing Tenant Authentication and Managing Connections section in our Single Sign-on support article.Limit Authentication to Domain
When configuring the SAML connection, you can optionally limit authentication to one or more domains. This can be useful when the SSO connection could authenticate to multiple domains. You can limit the authentication to your Iru tenant to a subset of the available domains.Enforcing Single Sign-On
Once you have configured at least one Single Sign-on connection, you can disable Passkey, Google Social, and Microsoft Social connections. Disabling these connections will disable the ability for Iru Endpoint administrators in your tenant to authenticate via those methods. Please refer to our Single Sign-on support article for step-by-step instructions.Testing the Integration
Add User to Admin Team
Add a user to the Admin Team in Iru Endpoint by clicking New User.
Fill User Information
Fill in all of the corresponding user information. This user must exist in Google Workspace and must be assigned to the Iru Endpoint SSO app in your Google Workspace tenant.
Close Invite Window
Once the invite is submitted, close the Invite User window.
Refresh Access Page
Refresh the Access page in Iru Endpoint. You should see the user you just added.
Test SSO Login
Check the user’s email to accept the invitation and log into Iru Endpoint with the new SAML SSO connection.
Before starting the Google Workspace configuration, complete the initial setup in the Iru Web App Configuration tab to get the Service Provider Entity ID and ACS URL. You’ll need these values to configure the Google Workspace application.
Configuring Google Workspace Application
Access Google Admin Console
In a new browser tab, log in to admin.google.com with a Google Workspace admin account. Open Menu
Click the menu symbol at the top left.
Navigate to Apps
Select Apps.
Select Web and Mobile Apps
Select Web and mobile apps. Add New App
Click the Add app dropdown.
Select Custom SAML App
Select Add custom SAML app. Configure App Details
On the App details page:
- Set an App name.
- Optionally, add a Description.
- Upload an optional App icon.
- Click Continue.
Copy Google Identity Provider Details
On the Google Identity Provider Details page, use Option 2: Copy the SSO URL, entity ID, and certificate.
- Copy the SSO URL and save it to a text document for later use. You’ll need this to complete the Iru Web App Configuration.
- Copy the Entity ID and save it to a text document for later use. You’ll paste this into the IdP Entity ID field in Iru Endpoint.
- Download the Certificate and save it. You’ll need this to complete the Iru Web App Configuration.
- Click Continue.
Configure Service Provider Details
On the Service Provider Details page:
- In the ACS URL field, paste the Iru Endpoint Assertion Consumer Service URL you copied from the Iru Web App Configuration.
- Paste the Iru Endpoint Entity ID you copied from the Iru Web App Configuration in the Entity ID field.
- Ensure that the Signed response option is checked.
- Set the Name ID Format to EMAIL.
- For NameID, make sure that Basic Information > Primary email is selected.
- Click CONTINUE.
Configure Attribute Mapping
On the Attribute Mapping page:
- Click ADD MAPPING.
- Select the Primary email attribute in the Basic information dropdown menu.
- Enter email in the App attributes field.
- Click Finish.
Configure User Access
On the resulting app page, check under User Access to ensure that the service is turned on and that either a user group or organizational unit is selected.
- If it displays OFF for everyone, click on the disclosure triangle in the user access panel to assign a user group or organizational unit to the app.
- Optionally, please select a group or organizational unit to enable the service (by default, it will display all organizational units).
- Set service status to ON for everyone.
- Click Save.
The Required Claim Attributes section of the SAML-based Single Sign-on knowledge base article provides more about Iru Endpoint attribute mappings. After completing the Google Workspace configuration, return to the Iru Web App Configuration tab to finish setting up the SAML connection using the SSO URL, Entity ID, and certificate you copied from Google Workspace.
