About Google Workspace SAML Integration
Google Workspace SAML integration in Iru Endpoint allows you to set up SAML-based SSO integration with Google Workspace, providing secure authentication for users accessing Iru Endpoint through their Google Workspace credentials.How It Works
When users attempt to access Iru Endpoint, they’re redirected to Google Workspace for authentication. After successful authentication, Google Workspace sends a SAML assertion back to Iru Endpoint, which validates the user’s identity and grants access to the platform.Setting Up the SAML Connection
1
Navigate to Settings
In Iru Endpoint, navigate to the Settings page.
2
Access Authentication Settings
Click the Access tab.
3
Add New Connection
Find the Authentication section and click the Add button on the bottom left.
4
Select SAML Connection
In the new pane, click Custom SAML.
5
Continue Setup
Click Next.
6
Show Advanced Details
Click Show Advanced Details.
7
Copy ACS URL
Copy the Assertion Consumer Services URL into a text document for later use.
8
Copy Entity ID
Copy the Entity ID into a text document for later use.
9
Keep Tab Open
Leaving this tab open, continue to the Google Workspace Admin console following the instructions below.
Configuring Google Workspace Application
1
Access Google Admin Console
In a new browser tab, log in to admin.google.com with a Google Workspace admin account.
2
Open Menu
Click the menu symbol at the top left.
3
Navigate to Apps
Select Apps.
4
Select Web and Mobile Apps
Select Web and mobile apps.
5
Add New App
Click the Add App dropdown.
6
Select Custom SAML App
Select Add custom SAML app.
7
Configure App Details
On the App details page:
- Set an App name.
- Optionally, add a Description.
- Upload an optional App icon.
- Click Continue.
8
Copy Google Identity Provider Details
On the Google Identity Provider Details page, use Option 2: Copy the SSO URL, entity ID, and certificate.
- Copy the SSO URL and save it to a text document for later use.
- Download the Certificate and save it.
- Click Continue.
9
Configure Service Provider Details
On the Service Provider Details page:
- In the ACS URL field, paste the Iru Endpoint Assertion Consumer Service URL you copied earlier.
- Paste the Iru Endpoint Entity ID you copied earlier in the Entity ID field.
- Make sure that the Signed response option is checked.
- Set the Name ID Format to UNSPECIFIED.
- For NameID, make sure that Basic Information > Primary email is selected.
- Click CONTINUE.
10
Configure Attribute Mapping
On the Attribute Mapping page:
- Click on Add Mapping twice so that you can add the following two mappings:
-
Find the First name attribute in the dropdown menu and paste the following string:
-
Find the Last name attribute in the dropdown menu and paste the following string:
- Click Finish.
11
Configure User Access
On the resulting app page, check under User Access to ensure that the service is turned on and that either a user group or organizational unit is selected.
- If it displays OFF for everyone, click on the disclosure triangle in the user access panel to assign a user group or organizational unit to the app.
- Optionally, please select a group or organizational unit to enable the service (by default, it will display all organizational units).
- Set service status to ON for everyone.
- Click Save.
The Required Claim Attributes section of the SAML-based Single Sign-on knowledge base article provides more about Iru Endpoint attribute mappings.
Configuring Iru Endpoint SAML Connection
1
Return to Iru Endpoint
Go back to the Custom SAML modal in Iru Endpoint.
2
Name the Connection
Give the connection a Name.
3
Add Sign-in URL
Paste in the Sign-in URL you copied from Google Workspace.
4
Upload Certificate
Upload the certificate you downloaded from Google Workspace.
5
Verify User ID Attribute
Ensure that the User ID Attribute is set to the default value of:
6
Enable Sign Request
Ensure that Sign Request is set to Yes.
7
Set Request Algorithm
Ensure that Request Algorithm is set to RSA-SHA256.
8
Set Digest Algorithm
Ensure that Sign Request Algorithm Digest is set to SHA 256.
9
Set Protocol Binding
Set the Protocol Binding to HTTP-POST.
10
Save Configuration
Click Save and then click Cancel to exit the configuration.
Enabling the Connection
Once you have configured the SAML connection in Iru Endpoint and your identity provider, you can enable it. For step-by-step instructions, please refer to the Enable and Manage a Connection section of our Single Sign-on support article.Enforcing Single Sign-On
Once you have configured at least one Single Sign-on connection, you can disable the standard authentication connection. Disabling Iru Endpoint standard authentication will disable the ability for Iru Endpoint administrators in your tenant to authenticate via email/password, Google Sign-in, or Office 365 Sign-in. Please refer to our Single Sign-on support article for step-by-step instructions.Testing the Integration
1
Add User to Admin Team
Add a user to the Admin Team in Iru Endpoint by clicking New User.
2
Fill User Information
Fill in all of the corresponding user information. This user must exist in Google Workspace and must be assigned to the Iru Endpoint SSO app in your Google Workspace tenant.
3
Submit User
Click Submit.
4
Close Invite Window
Once the invite is submitted, close the Invite User window.
5
Refresh Access Page
Refresh the Access page in Iru Endpoint. You should see the user you just added.
6
Test SSO Login
Check the user’s email to accept the invitation and log into Iru Endpoint with the new SAML SSO connection.