Google Workspace

Google Workspace is a suite of cloud collaboration tools. You can configure Google Workspace for single sign-on (SSO) with Entrust Identity as a Service (Entrust IDaaS).

note

• A Google Admin account is required to complete this procedure.
• This guide was tested with previous versions of Entrust IDaaS and Google Workspace. For newer versions, use this as a starting point and contact support@entrust.com if issues occur.

Export the SAML signing certificate

1. Sign in to your Entrust IDaaS administrator account.
2. Click > Security > Applications.
3. Under SAML Cloud Integrations, click SAML Signing Certificates.
4. Click next to the certificate to export.
5. Choose one of the following, then click Export:
   • Certificate (self-signed)
   • Root CA Certificate (CA-issued)
   • Certificate Chain (certificate plus CA chain)

Copy the SAML configuration

1. In Entrust IDaaS, click > Security > Applications.
2. Under SAML Cloud Integrations, click SAML Configuration.
3. Note the Entity ID, Single Sign-on URL, and Single Logout URL for use in later steps. Keep the dialog open or copy the values to a text file.

note

Depending on the integration, you may not need all three values.

Configure Google Workspace

1. Go to https://admin.google.com and sign in to your Google Admin account.
2. Navigate to Security.
3. Click Set up single sign on (SSO), then select Setup SSO with third party identity provider.
4. In Sign-in page URL, enter the Single Sign-on URL from Step 2.
5. Ensure Use a domain specific issuer is not selected so the issuer remains google.com.
6. For Verification certificate, click Replace certificate, then Choose File. Upload the certificate exported in Step 1 and click Upload, then Save.
7. Leave this page open—you will need it after adding Google Workspace in Entrust IDaaS.

Add Google Workspace to Entrust IDaaS

1. In Entrust IDaaS, click > Security > Applications and click Add.
2. Under SAML Cloud Integrations, select Google Workspace.
3. Enter an Application Name and Application Description.
4. Optional: Add a logo: click next to Application Logo, upload an image with , and click OK.
5. Select the Authentication Flow and click Next to open General.
6. If you have metadata, click to Upload Metadata XML, optionally select Merge with existing values, then click Save.
7. If configuring manually, enter:
   • Default Assertion Consumer Service URL: replace <your_domain> with your Google Workspace domain in https://www.google.com/a/<your_domain>/acs.
   • Service Provider Entity ID (Issuer): google.com.
   • Leave Single Logout Service URL blank.
8. Optional: Enter SAML Username Parameter Name if Google Workspace expects a custom username field.
9. Enter SAML Session Timeout (max 720 minutes) and Max Authentication Age (seconds) (use -1 to disable).
10. From SAML Name ID Attribute, select the attribute containing the user portion of the Google Workspace username (for example, jdoe for jdoe@mail.com). Ensure it matches an existing Google Workspace user exactly.
11. Set SAML NameID Encoding Format to UNSPECIFIED and choose the SAML Response Signature Algorithm required by Google Workspace.
12. Select the SAML Signing Certificate and, if required, enable Sign complete SAML response.
13. Optional: Enable Respond Immediately for Unsuccessful Responses to return to Google Workspace after a failed login.
14. Deselect Enable Go Back Button if you do not want users to return to the Google Workspace login page.
15. Select Show Default Assertion Consumer URL Service in the My Profile to display it in user profiles.
16. Optional: Enable Encrypt SAML Assertion and choose encryption methods:
    • Encryption Method for Key: RSA Version 1.5 (default) or RSA-OAEP.
    • Encryption Method for Data: AES-256 (default), AES-128, AES-192, or Triple DES.
17. Click Submit.

Finish in Google Workspace

Return to the Google Workspace Setup SSO page and confirm the URLs and certificate match the values from Entrust IDaaS. Save changes to complete SSO setup.