New article
Recently updated
Setting up Google Workspace for SAML-based Single Sign-On (SSO)
Who is this article for?
Administrators responsible for managing organization security settings in Ideagen Hub.
Admin Console access is required.
You can set up Google Workspace as your corporate identity provider (IDP) in Ideagen Hub using SAML, which is the preferred protocol since Google Workspace has limited OIDC SSO support.
Create a new SAML app in the Google Workspace Admin console or update an existing app's service provider details to connect to Ideagen Hub.
This guide outlines how to configure a new SAML app in the Google Workspace Admin console and link it to Ideagen Hub.
1. Create SAML app in Google Workspace
To create a SAML app in Google Workspace:
Go to Google Workspace. Login to Admin console.
Navigate to Apps, Web and mobile apps.
Click Add app and Add custom SAML app.
Enter a meaningful App name and click Continue.
2. Download SAML metadata
You will need the SAML metadata from your Google Workspace SAML app to complete the configuration on Ideagen Hub.
To obtain the SAML metadata:
Click Download Metadata. Please keep the file in a secure place where you can easily access it, as you will need to upload it to Ideagen Hub later to finish setting up the SSO configuration.
3. Configure Ideagen Hub (Cognito) as the Service Provider
To populate the Entity ID and ACS URL for your identity provider, you will need to obtain the details from Ideagen Hub:
- Log in to Ideagen Hub.
- Go to Admin Console, Security Center, Authentication, External IDP Configuration.
- Click + Add Identity Provider.
-
Select SAML and click next. You will see the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
-
Copy these values into the corresponding fields in Google Workspace.
Note: Entity ID represents an organization or a single Hub subdomain.
- Then, in Google Workspace, click continue to proceed.
4. Configure the attribute mapping in Google Workspace
4.1 Email as the login identifier
If your organization uses Email as the login identifier, you will need to add the email attribute in Google Workspace and map the email attribute in Ideagen Hub.
To set up the email attribute:
- In Google Workspace, select “Primary email” under Google Directory attributes.
- Set the App attributes value to "email" or an equivalent value to represent the email address.
- At Ideagen Hub, SAML Configuration, map the user pool attribute email to the App attribute you specified in Google Workspace, in our example, being email.
4.2 Username as the login identifier
If your organisation uses Username for login, you must map the email and preferred_username attributes in Ideagen Hub.
To set up the email attribute, follow the steps in section 4.1.
To set up the preferred_username attribute:
- In Google Workspace SAML attribute mapping, click Add Mapping to add an attribute with a unique, unchanging value for each user, such as employee_id.
-
At Ideagen Hub, SAML Configuration, map the user pool attribute preferred_username to the App attribute you specified in Google Workspace, in our example, being employee_id.
5. Assign users and activate the Google Workspace app
When the SAML app is created in Google Workspace, it will be OFF for everyone by default. To assign a user and activate the app, perform the following steps:
- Click on the drop-down icon under User access.
- You can assign users by “Groups” or “Organization Units”. In the screenshot below, we assign an Organization Unit, turn the Service status to “ON”, and click “OVERRIDE” to save the changes.
Further reading
To use an external identity provider like Google Workspace, you will need to ensure the Hub user's authentication type is set to External.