1. Home
  2. Applications
  3. Google Workspace
  4. Setup Google Workspace SAML with Provisioning (Guide)

Setup Google Workspace SAML with Provisioning (Guide)

Purpose

Google Workspace (formerly known as G-Suite) offers single sign-on via SAML integration with Practice Protect. This provides a seamless login experience to the Google apps (ex. Gmail, G-Drive & etc.) using IdP-initiated SAML.

Practice Protect will configure this on your behalf. Please send us an email at support@practiceprotect.com

It also has an option to enable provisioning. With provisioning enabled, it allows Practice Protect to manage user account creation and user information updates. Providing a centralised management platform for your employee’s access to Google Apps.

Prerequisites

The following will be required to complete this process.

  • System Administrator access to Practice Protect Portal
  • Google Workspace business subscription (Starter, Standard or Plus)
  • An account with Super Admin rights on Google Workspace (must not be a regular account).
  • A domain registered and verified on Google Workspace.

Instructions

  1. Login to Practice Protect using an Admin Account. Once logged in, Switch to Admin Portal. You will be routed to the admin portal page.
  2. On Core Services, Click on Roles > Add Roles. Create a role and set the name field to “Google Workspace Email Integration Users“. Then Save.
  3. With the created role, click on Members Add. Add each member/user that will be part of the Integration. Then click Save.
  4. The next step is to add the Google Workspace SAML app. Proceed to Apps > Add Web Apps
  5. On the app catalog, search for “Google Workspace” and Add the app Google Workspace (SAML + Provisioning). Hit “Yes” to add the application. Close after.
  6. On Settings, enter the Primary Domain in the Your Primary Domain in Google Workspace field. Click Save.
  7. Go to Trust > On Identity Provider Configuration, select Manual Configuration > On Signing Certificate, Click Download to download the certificate to your local drive. Copy the Sign-in page URL and Sign-out page URL and paste it on Notepad temporarily. You will use these (certificate, sign-in, and sign-out URL) data on the SSO configuration in Google Workspace later.
  8. Scroll down and go to Service Provider Configuration > select Manual Configuration > On Recipient, tick the box Same as ACS URL. Leave the others as default then click Save.
  9. Going down to the SAML Response settings. Add Script to set custom claims, remove line 8 and replace it with the following, and Save.
    var Relay = 'https://workspace.google.com/dashboard';
    setRelayState(Relay);
  10. On a separate browser tab, log in to the Google Admin page. On the left navigation menu, go to Security > Authentication > SSO with third-party IdP.
  11. Click ADD SSO PROFILE on the third-party SSO profile for your organization.
  12. Copy the Sign-in page URL and Sign-out page URL from Step 8 and paste it on the corresponding required fields. On the verification certificate, upload the certificate that was downloaded (Step 8).
    On Change password URL field, paste the Practice Protect tenant URL (i.e. https://yourtenantdomain.id.cyberark.cloud/). Leave the other settings as default then click Save. Note: Make sure that Set up SSO with third-party identity provider is switched off as once enabled, users will be redirected to Practice Protect right away to access their Google Workspace apps. 
  13. (Optional) As this is company-wide change, excluding a group of users can be done by following this guide

Enable and Setup Provisioning

    1. Return to Google Admin and proceed to API Controls > MANAGE THIRD-PARTY APP ACCESS
    2. Click on Configure new App.
    3. Enter the below CyberArk ID in the field and click Search

      736006718218-v15dghc4juspi26qv6f4omas8drqgprj.apps.googleusercontent.com

    4. Pick the Cyberark Next-Gen Access.
    5. Select All in domain.com (all users) in the Scope and click Continue.
    6. Choose Trusted and click Continue.
    7. On the configuration review, click Finish.
    8. Return to the Practice Protect Admin Portal and on the Web Apps, find and click the app, Google Workspace that was created in Step 6.
    9. Within the app menu, select Provisioning and then tick the box Enable provisioning for this application. This reveals the configuration settings that require to be set up.
    10. To proceed, make sure that Live Mode is selected and click Authorize. This will prompt you to log in on Google Workspace. Use the Super Admin account credential.
    11. Click ALLOW to authorize Practice Protect Identity Service to provision users. It will notify you once authorization is successful. 
      Note: If the rest of the configuration settings are still not loading even after a successful authorization, just refresh the page where provisioning settings is open. 
    12. On Sync Options, tick the box of the following:
      – Sync (overwrite) users to target application when existing users are found with the same principal name.
      Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role.
      User Deprovisioning Options: Disable user
      – Deprovision (deactivate or delete) users in this application when they are disabled in the source directory
    13. Scroll down to Role Mapping  and click Add. A new pop-up setting will show up (Role mapping).
      – Role field, select the role that was created from Step no. 3 (i.e. Google Workspace Email Integration Users).
      – Destination Organizational Unit field, select the OU that corresponds to the created Role in Google Workspace(i.e./Administrator). Otherwise, select “/” for all.
      – Destination Domain/Group Select the desired domain if you have more than 1 domain. Otherwise, leave it blank.

      This is how you can also map a Group from Google Workspace and that is by creating an equivalent Role in Practice Protect, assigning the members then mapping it on the Role Mapping Provisioning Settings. 
    14. Hit Done to apply. Then select Save.

      NOTE:
      When you create a user in Practice Protect then assign that user to the Role (i.e Google Workspace User) that user will be provisioned (created) to its corresponding Destination Organizational Unit (OU) in Google Workspace once synced. 
    15. The next step below is to add a provisioning script
      • On Provisioning, click on Provisioning Script. Within the script editor remove all of them and replace them with the below:

        if (source.Classification == "User") {
        destination.DisplayName = source.DisplayName;
        destination.PrimaryEmail = source.Email;

        trace('DisplayName=' + destination.DisplayName);
        trace('PrimaryEmail=' + destination.PrimaryEmail);

        var nameTokens = source.DisplayName.split(" ");
        destination.FirstName = nameTokens[0];
        if (nameTokens.length == 1) {
        destination.LastName = nameTokens[0];
        }
        else {
        destination.LastName = nameTokens.slice(1, nameTokens.length).join(" ");
        }
        var proxyAddresses = source.Get("Proxy_Addresses");
        if (proxyAddresses !== null && proxyAddresses.Length > 0) {
        var addrString = "";
        for (var i = 0; i < proxyAddresses.Length; i++) {
        if (addrString) {
        addrString += "," + proxyAddresses[i];
        } else {
        addrString = proxyAddresses[i];
        }}
        destination.Aliases = addrString;}}

        if (source.Classification == "Group") {
        var propArr = getSourcePropertyByName("description");
        if (propArr && propArr.Length) {
        destination.Description = propArr[0];
        }
        destination.Email = source.Email;
        propArr = getSourcePropertyByName("name");
        if (propArr && propArr.Length) {
        destination.Name = propArr[0];
        }}
      • The script should look like this.
    16. Hit Save to apply.
    17. Go to Settings > Customization > Additional Attributes > click Add. On Additional Attribute page Enter Proxy_Addresses on the Name field then select Text on the Type and click Add.
    18. (Optional) Add new email aliases/proxy addresses for the users if necessary. Go back to Core Services > Users > Click on the desired user > Additional Attributes > Add the additional alias on Proxy_Addresses value. If multiple, make sure to separate each alias by a comma (,) i.e. alias1@emaildomain.com, alias2@emaildomain.com
    19. Click Save.
    20. Start manual synchronization by going to the Settings > Users > Outbound Provisioning. On Provisioning Enabled Applications > Select the app (e.g. Google Workspace) and press Start Sync
    21. You can view the real-time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization is successful and completed for all users, any changes in Practice Protect will be reflected in Google Workspace.
    22. This completes the configuration setup of Google Workspace with Provisioning for Practice Protect.

Remove ​Google Workspace​ administrator privileges (Super Admin)

Accounts that have Super Admin rights will not be email integrated so to apply, one should consider removing its privilege and set it as a regular user. You can still re-apply low type of privilege (User Management)

Take note that there should be at least one Super Admin Account within Google Workspace for revoking any poor changes and serve as a fallback.

  1. In the Google Admin Console, go to the left navigation Menu > Directory > Users. You must be signed in as a Super Admin for this task.
  2. Select and click the user’s name of the admin you wish to revoke privilege. This should open their account setup page.
  3. Click the Admin roles and privilege

  4. Select the desired role (Ex. Super Admin). then click on the slider to revoke or remove the role.
  5. At the bottom section, click Save. You’ll get a pop-up confirmation message that the roles have been updated.

Enable Google Workspace Email Integration

  1. Return to Google Admin SSO settings through this page and enable SSO by ticking the box “Set up SSO with third-party identity provider” and hit Save to apply changes.
  2. Return to the Google Workspace tile in the Practice Protect Admin Portal. Choose Permissions. On Permissions, Add the role that contains the users for email integration (i.e. Google Workspace Email Integration Users) and click Save to apply. This should display the app on their user portal and can be used once activated.
  3. Test by signing in to any Google Workspace apps (Gmail, G-Drive, etc.) directly in the browser or mobile app (if using). Enter Email/Username then click Next. This should redirect the page to Practice Protect for login authentication.
Updated on August 29, 2024

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support