Configuration of SAML 2.0 for Google Workspace

Hideez Identity Cloud - Configuration SAML 2.0 for Google Workspace

How to Configure SAML 2.0 for Google Workspace

Google Workspace SAML setup allows for secure, single sign-on (SSO) with two setup options:

  1. Root Organization SSO Profile: This option configures login via a single Service Provider (SP) for all users in Google Workspace. It uses one Identity Provider (IdP), in this case, Hideez Identity Cloud, to enable SSO access for all users within the Google Workspace domain.

  2. Multi-IdP SSO Profile: This option is suitable when you have multiple Identity Providers (in addition to Hideez Identity Cloud) or if you need to configure SSO authentication for specific Organizational Units (OUs) or individual user groups. This setup provides flexibility in access management across departments using different IdPs, making it ideal for organizations with specific authentication requirements. Additionally, this option can also be used if you only have one IdP.

Option 1: Root Organization SSO Profile

1. Log in to Hideez Cloud:

2. Create SAML App Integration:

  • In the left sidebar, go to Integrations -> SAML.

  • Click on Create App Integration.

  • In the setup form:

    • Set Name: (e.g. Google (Root Organization SSO Profile))

    • Set Issuer / SP Entity ID: google.com/a/your-domain.com.

    • Set Assertion Consumer Service (ACS) URL: https://www.google.com/a/your-domain.com/acs.

To find your domain name, click on your profile icon in your Google account (e.g., hideez.com).

  • Click Create.

3. Configure SSO in Google Admin Console:

  • In Google Admin Console, go to Menu → Security → Authentication → SSO with third-party IdP.

  • Check Setup SSO with third-party identity provider.

  • Set the following values from Hideez Cloud:

    • Sign-in page URL

    • Sign-out page URL (optional)

    • Verification certificate (download from Hideez and upload here).

  • Check Use a domain-specific issuer and save.

Note: The Logout URL in Hideez Cloud and the Sign-out Page URL in Google Workspace serve different purposes. You have two options for configuration:

  1. Leave the field blank in Google Workspace: Upon logging out of Google Workspace, you will automatically be redirected to the initial email entry page.

  2. Specify a tenant's name in the field: Example: https://tenant_name.us.hideez.io (e.g., https://support-cloud.us.hideez.io). In this case, logging out of Google Workspace will redirect you to the Hideez Cloud End-User Dashboard.

Option 2: Multi-IdP SSO Profile

1. Create a User Group or Organizational Unit (OU):

Define a user group, OU, or select individual users to whom Google Workspace access via Hideez Cloud SAML SSO will apply:

  • Go to admin.google.com.

  • Navigate to MenuDirectory → select User, Group, or Organizational Unit (OU).

  • Choose an existing option or create a new group, user, or OU for SAML login via Hideez Cloud.

  • User: An individual Google Workspace account assigned to a specific person, capable of being grouped in OUs and Groups.

  • Organizational Unit (OU): A structured way to organize users by department or role, allowing administrators to apply distinct settings and policies (e.g., security and app access) to specific groups.

  • Group: A collection of users for communication (e.g., email lists) and shared resource access (e.g., Drive files). Groups support multiple users without a hierarchical structure.

Example: Applying SAML Login to a User Group

  • Navigate to MenuDirectoryGroup and create group.

  • Enter required group details:

    • Group name

    • Group email (existing or new email for the group)

  • Select Group labelsSecurity, and proceed to configure Access type (e.g., Public), then click Create Group.

2. Add Users to the Group for SAML Login Access

  • Select the newly created group and add users who will access Google services via SAML through Hideez Identity Cloud.

3. Access Google Admin Console for SAML Setup

  • In admin.google.com.

  • Navigate to MenuShow more→SecurityAuthenticationSSO with third-party IdP.

  • Under Third-party SSO profiles, click Add SAML profile.

  • Enter a profile name (e.g., "Hideez Cloud") and save.

4. Create SAML App Integration in Hideez Cloud

  • In Hideez Cloud, go to IntegrationsSAML.

  • Click on Create App Integration and enter:

    • Name: (e.g., Google Multi-IdP SSO Profile).

  • In Google Admin, open the SAML profile and copy the following details:

  • Issuer/SP Entity ID (e.g., https://accounts.google.com/samlrp/unique-id).

  • ACS URL (e.g., https://accounts.google.com/samlrp/unique-id/acs).

  • Click Create.

5. Complete the SAML Profile in Google Admin Console

  • In Google Admin, open the SAML profile and fill in IDP details from Hideez Cloud:

    • IDP entity ID

    • Sign-in page URL

    • Sign-out page URL (optional)

    • Verification certificate

Note: The Logout URL in Hideez Cloud and the Sign-out Page URL in Google Workspace serve different purposes. You have two options for configuration:

  1. Leave the field blank in Google Workspace: Upon logging out of Google Workspace, you will automatically be redirected to the initial email entry page.

  2. Specify a tenant's name in the field: Example: https://tenant_name.us.hideez.io (e.g., https://support-cloud.us.hideez.io). In this case, logging out of Google Workspace will redirect you to the Hideez Cloud End-User Dashboard.

  • Click Save.

6. Assign SSO Profiles for Group

  • Go to Manage SSO profile assignments in Google Admin Console.

  • Assign the new SSO profile to specific OUs or groups as needed.

  • Click Save.

Ensure the profile created in Step 3 has a status of "Complete"; otherwise, it will not appear in the Another SSO profile selection.

Logging into Google Services via Hideez Identity Cloud Users can log in to Google services (e.g., Drive, Gmail) through Hideez Identity Cloud, with options such as:

  • Passwordless login with Passkey or Hideez Authenticator App.

  • Standard login with a second authentication factor (TOTP).

SP-Initiated SSO Links for Google Services These URLs allow direct access to services through SSO:

  • Mail: https://www.google.com/a/your-domain.com/ServiceLogin?continue=https://mail.google.com

  • Drive: https://www.google.com/a/your-domain.com/ServiceLogin?continue=https://drive.google.com

  • Calendar: https://www.google.com/a/your-domain.com/ServiceLogin?continue=https://calendar.google.com

  • Replace your-domain.com with your actual domain.

Summary for Option 2: Multi-IdP SSO Profile

  • Create a user group and add members.

  • Set up a SAML profile in Google Admin and Hideez Cloud.

  • Assign the profile to the specific group.

  • Save all changes.

Disable Google Workspace Login via Hideez Cloud SAML

  • Root Organization SSO Profile: Uncheck Set up SSO with third-party identity provider in Google Admin Console and save.

  • Multi-IdP SSO Profile: Go to Manage SSO profile assignments → select None for SSO profile and save.

Last updated