Single Sign-On with Google Workspace (SAML)

About Google Workspace SAML Integration

Google Workspace SAML integration in Iru Endpoint lets you set up SAML-based SSO integration with Google Workspace for users accessing Iru Endpoint through their Google Workspace credentials.

How It Works

When users attempt to access Iru Endpoint, they’re redirected to Google Workspace for authentication. After successful authentication, Google Workspace sends a SAML assertion back to Iru Endpoint, which validates the user’s identity and grants access to the platform.

Iru Endpoint Configuration
Google Workspace Configuration

Setting Up the SAML Connection

You’ll need to complete the initial setup in Iru Endpoint first to get the configuration information required for Google Workspace. After copying the Entity ID and ACS URL, switch to the Google Workspace Configuration tab to continue.

Navigate to the Account Menu Button

In Iru Endpoint, in the sidebar, click the Account Menu Button.

Access Authentication Settings

Click the Access option in the menu.

Add New Connection

Select the Admin and Authentication tab (selected by default) and scroll down to Authentication methods.

Add Authentication Method

Click + Authentication Method, then enter a display name for the SSO Connection and select SAML.

Create Connection

Click Create.

Configuration Information

Click Configuration information if that section is not already expanded.

Copy Service Provider Entity ID

Copy the Service provider entity ID into a text document for later use. You’ll need this for the Google Workspace configuration.

Copy ACS URL

Copy the Assertion consumer service (ACS) URL into a text document for later use. You’ll need this for the Google Workspace configuration.

Keep Tab Open

Keep the Iru Endpoint configuration modal open, then switch to the Google Workspace Configuration tab to continue.

Configuring Iru Endpoint SAML Connection

After completing the Google Workspace configuration, return here to finish setting up the SAML connection in Iru Endpoint. You’ll need the SSO URL, Entity ID, and certificate from Google Workspace.

Return to Iru Endpoint

Go back to the SAML connection configuration modal in Iru Endpoint.

Name the Connection

Give the connection a Name.

Add Sign-in URL

Paste in the Sign-in URL you copied from Google Workspace.

Add IdP Entity ID

Paste the Entity ID you copied from Google Workspace into the IdP Entity ID field.

Upload Certificate

Upload the certificate you downloaded from Google Workspace.

Set User ID Attribute

Ensure that the User ID Attribute is set to the default value of:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Enable Sign Request

Ensure that Sign Request is set to Yes.

Set Request Algorithm

Ensure that the Request Algorithm is set to RSA-SHA256.

Set Digest Algorithm

Ensure that Sign Request Algorithm Digest is set to SHA 256.

Set Protocol Binding

Set the Protocol Binding to HTTP-POST.

Save Configuration

Click Save and then click Cancel to exit the configuration.

Allow for Tenant Authentication

Once you have configured the SAML connection in Iru Endpoint and your identity provider, you can allow its use for tenant authentication. For step-by-step instructions, please refer to the Allowing Tenant Authentication and Managing Connections section in our Single Sign-on support article.

Enforcing Single Sign-On

Once you have configured at least one Single Sign-on connection, you can disable Passkey, Google Social, and Microsoft Social connections. Disabling these connections will disable the ability for Iru Endpoint administrators in your tenant to authenticate via those methods. Please refer to our Single Sign-on support article for step-by-step instructions.

Testing the Integration

Add User to Admin Team

Add a user to the Admin Team in Iru Endpoint by clicking New User.

Fill User Information

Fill in all of the corresponding user information. This user must exist in Google Workspace and must be assigned to the Iru Endpoint SSO app in your Google Workspace tenant.

Submit User

Click Submit.

Close Invite Window

Once the invite is submitted, close the Invite User window.

Refresh Access Page

Refresh the Access page in Iru Endpoint. You should see the user you just added.

Test SSO Login

Check the user’s email to accept the invitation and log into Iru Endpoint with the new SAML SSO connection.

Before starting the Google Workspace configuration, complete the initial setup in the Iru Endpoint Configuration tab to get the Service Provider Entity ID and ACS URL. You’ll need these values to configure the Google Workspace application.

Configuring Google Workspace Application

Access Google Admin Console

In a new browser tab, log in to admin.google.com with a Google Workspace admin account.

Open Menu

Click the menu symbol at the top left.

Navigate to Apps

Select Apps.

Select Web and Mobile Apps

Select Web and mobile apps.

Add New App

Click the Add App dropdown.

Select Custom SAML App

Select Add custom SAML app.

Configure App Details

On the App details page:

Set an App name.
Optionally, add a Description.
Upload an optional App icon.
Click Continue.

Copy Google Identity Provider Details

On the Google Identity Provider Details page, use Option 2: Copy the SSO URL, entity ID, and certificate.

Copy the SSO URL and save it to a text document for later use. You’ll need this to complete the Iru Endpoint configuration.
Copy the Entity ID and save it to a text document for later use. You’ll paste this into the IdP Entity ID field in Iru Endpoint.
Download the Certificate and save it. You’ll need this to complete the Iru Endpoint configuration.
Click Continue.

Configure Service Provider Details

On the Service Provider Details page:

In the ACS URL field, paste the Iru Endpoint Assertion Consumer Service URL you copied from the Iru Endpoint configuration.
Paste the Iru Endpoint Entity ID you copied from the Iru Endpoint configuration in the Entity ID field.
Make sure that the Signed response option is checked.
Set the Name ID Format to UNSPECIFIED.
For NameID, make sure that Basic Information > Primary email is selected.
Click CONTINUE.

Configure Attribute Mapping

On the Attribute Mapping page:

Click on Add Mapping twice so that you can add the following two mappings:
1. Find the First name attribute in the dropdown menu and paste the following string:
  schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
2. Find the Last name attribute in the dropdown menu and paste the following string:
  schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Find the Primary email attribute in the dropdown menu and enter email in the field.
Click Finish.

Configure User Access

On the resulting app page, check under User Access to ensure that the service is turned on and that either a user group or organizational unit is selected.

If it displays OFF for everyone, click on the disclosure triangle in the user access panel to assign a user group or organizational unit to the app.
Optionally, please select a group or organizational unit to enable the service (by default, it will display all organizational units).
Set service status to ON for everyone.
Click Save.

The Required Claim Attributes section of the SAML-based Single Sign-on knowledge base article provides more about Iru Endpoint attribute mappings.

After completing the Google Workspace configuration, return to the Iru Endpoint Configuration tab to finish setting up the SAML connection using the SSO URL, Entity ID, and certificate you copied from Google Workspace.

Considerations

Security: Ensure that your Google Workspace tenant has appropriate security policies configured for SAML authentication. User Management: Users must exist in both Google Workspace and Iru Endpoint to successfully authenticate via SSO. Testing: Always test the SSO integration with a small group of users before rolling out to your entire organization. Attribute Mapping: Proper attribute mapping is crucial for successful user authentication and profile synchronization.

General

Devices

Agent

Blueprints

Enrollment

Library

Deployment Guides

Settings

Endpoint Detection & Response

Integrations

Vulnerability Management

Networking & Connectivity

API

Single Sign-On with Google Workspace (SAML)

About Google Workspace SAML Integration

How It Works

Setting Up the SAML Connection

Configuring Iru Endpoint SAML Connection

Allow for Tenant Authentication

Enforcing Single Sign-On

Testing the Integration

Configuring Google Workspace Application

Considerations

General

Devices

Agent

Blueprints

Enrollment

Library

Deployment Guides

Settings

Endpoint Detection & Response

Integrations

Vulnerability Management

Networking & Connectivity

API

​About Google Workspace SAML Integration

​How It Works

​Setting Up the SAML Connection

​Configuring Iru Endpoint SAML Connection

​Allow for Tenant Authentication

​Enforcing Single Sign-On

​Testing the Integration

​Configuring Google Workspace Application

​Considerations

About Google Workspace SAML Integration

How It Works

Setting Up the SAML Connection

Configuring Iru Endpoint SAML Connection

Allow for Tenant Authentication

Enforcing Single Sign-On

Testing the Integration

Configuring Google Workspace Application

Considerations