1. Home
  2. Applications
  3. Google G Suite
  4. Setup Google Workspace SAML with Provisioning (Guide)

Setup Google Workspace SAML with Provisioning (Guide)

Purpose

With Practice Protect as your identity service, you can choose single-sign-on (SSO) access to the Google Workspace web application with IdP-initiated SAML SSO (for SSO access through the Practice Protect user portal) or SP-initiated SAML SSO (for SSO access directly through the Google Workspace web application) or both. Providing both methods gives you and your users maximum flexibility.

It also has an option to enable provisioning. With provisioning enabled it allows Practice Protect to manage user (creating or deleting users) thus giving you central management of your employee’s access to Google Apps.

Prerequisites

The following will be required to complete this process.

  • System Administrator access to Practice Protect Admin Portal
  • Google Workspace account must be a business account
  • Service account with Global Admin role in Google Workspace (must not be a user account).**Global admins in Google Workspace will not be federated.
  • A domain registered and verified with Google Workspace.

Instructions

  1. Open 3 separate browsers and access the URL’s below. You will use the below URL’s side by side during the setup
  2. Login to Practice Protect using an Admin Account.
  3. Once logged in, Click on your name and select Switch to Admin Portal. You will be routed to the admin portal page.
  4. Login to Google Admin, using the Google Suite Admin Go to Users > Create an Organizational Unit if you don’t have one. Select the 3 horizontal dots beside the domain name then click on Add sub organization. Name the OU (Organizational Unit) as desired. If you have an existing OU you can use this later and skip this step and go to step 6.
  5. On Create new organization page, type the name of the OU then click on CREATE ORGANIZATION. On this example we have created 2 Organizational Unit (Administrator and CBP Regular Users).
  6. These OU will should be reflected (or equivalent) once we create the roles in Practice Protect. These OU and roles will be use later once we sync the Practice Protect users across Google Suite.
  7. On Google Admin > Go to Security > Settings
  8. Click on Set up single sign-on (SSO). Leave this page open and go back to the Practice Protect Admin Portal.
  9. On Practice Protect Admin Portal click on Roles > Click Add Role > On the Name field enter the Name of the Role i.e. G Suite Administrator. Click Save.
  10. Click on Members > Click Add > search for the desired user to be added on this role (i.e. andy.dufresne@cbpaccountants.com) > Click Save.
  11. Repeat step 9-10, to reflect the Organization Unit (OU) from Google Suite to Practice Protect (Role). Add the desired users on those roles. On this example we created 2 roles G Suite Administrator and G Suite CBP Regular Users as this reflects the equivalent OU in G Suite namely Administrator and CBP Regular Users **NOTE: User should only have 1 role as Google Suite only supports 1 Organizational Unit membership.
  12. Once the roles are created, you are now ready to add G Suite app in Practice Protect.
  13. Go to Apps > Add Web Apps
  14. On Add Web Apps page, type G Suite on the search field and click enter > select G Suite (SAML + Provisioning) > then Click Add > Click Yes to Confirm > Click Close
  15. G Suite is now added on the list of apps. On Settings enter the Primary Domain in the Your Primary Domain in G Suite field. Click Save.
  16. Go to Trust > On Identity Provider Configuration, select Manual Configuration > On Signing Certificate, Click Download to download the certificate to your local drive. Copy the Sign-in page URL and Sign-out page URL and paste it on notepad temporarily. You will use these (certificate, sign-in and sign-out URL) data on the SSO configuration in G Suite later.
  17. Scroll down and go to Service Provider Configuration > select Manual Configuration > On Recipient, tick the box Same as ACS URL. Leave the others as default then click Save.
  18. Click on User Access > Click Add > On Select Role, tick the box of the role created earlier (i.e. G Suite Administrator and G Suite CBP Regular Users). Members of these roles will have access to the G Suite App. Click Add then Click Save.
  19. Once saved, the status of the application will change from Ready to deploy to Deployed.
  20. Go back to Google Admin page (step no. 8). On Set up single sign-on (SSO), scroll down and tick the box Setup SSO with third party identity provider. On Sign-in page URL and Sign-out page URL field, paste the corresponding URL (step no. 16). On Verification certificate, upload the certificate that was downloaded (step no. 16). On Change password URL field, paste your Tenant URL (i.e. https://cbpaccountants.my.centrify.com). Leave the other settings as default then Click Save.
  21. The next step is to enable provisioning for G Suite. With provisioning enabled you allow Practice Protect to manage users (Add/Remove). This allows you to automatically provision G suite application for users in Practice Protect.
  22. Before configuring the G Suite application for provisioning, you must install, configure, and deploy the app (Google Developer Console).
  23. Login to Google Developer Console using G Suite Admin Account.
  24. On Select a Project menu click on Create project
  25. Enter the name on the Project name field (i.e. Practice Protect) and Click Create. The project dashboard opens automatically after you create it.
  26. You need to enable API access and create credentials to access those APIs before you can use provisioning.
  27. From your Dashboard click on ENABLE APIS AND SERVICES.
  28. On the API Library, search for Admin SDK and Click ENABLE.
  29. On APIs & Services, click on Credentials > Create credentials > Select OAuth client ID.
  30. On Create client ID page, select Other for Application type. Enter the Name (i.e. CBP Client ID) of the client ID then click Create.
  31. This creates a unique client ID and client secret key. Click OK when prompted.
  32. Go to OAuth consent screen On the Email address field enter the email address G Suite administrator account (i.e. Administrator@cbpaccountants.com). On Product name shown to users field, enter your desired name (i.e. CBP Accountants). Click Save.
  33. This completes the API enablement in G Suite. The next step is to enable provisioning in Practice Protect Admin portal.
  34. Go back to the browser that has Practice Protect Admin portal open (Step no. 18).
  35. Go to Apps > Click G Suite (SAML + Provisioning) app > Click on Provisioning > On Provisioning page, tick the box Enable provisioning for this application > select Live Mode > Click Authorize.
  36. You will be prompted to login. Use the Google Suite Admin account to login.
  37. Click ALLOW to authorize Practice Protect Identity Service to provision users.
  38. It will notify you once Authorization is successful. This window will close automatically once authorization is complete.
  39. Once provisioning is enabled, Account Mapping will no longer be available.
  40. On Sync Options, select Sync (overwrite) users to target application when existing users are found with the same principal name. Tick the box Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role. Leave Deprovision (deactivate or delete) users in this application when they are disabled in the source directory ticked. Below are the options on how you want Practice Protect Identity platform handles the situation when it determines that the user already has an account in the target application.
    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the Practice Protect Identity Service).
    • Do not sync (no overwrite): Keeps the target user account as it is; Practice Protect Identity Service skips and does not update duplicate user accounts in the target application.
    • Do not de-provision (deactivate or delete): The user’s account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
    • Select Deprovision users in this application when they are disabled in source directory to enable the feature. If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.
  41. Scroll down to Role Mappings > Click Add > You will be prompted for the Role mapping On Role field, enter the role you created from Step no. 9 (i.e G Suite Administrator). On Destination Organizational Unit field, select the OU the corresponds to the created Role in G Suite (i.e /Administrator). On Destination Domain/Group select the desired domain if you have more than 1 domain. Click Done.
  42. Repeat Step no. 41 for the other role created from Step no. 9 (i.e. G Suite CBP Regular Users). Select its corresponding OU in G Suite. Click Save. Once done, Role Mapping should show similar to the screenshot below.**NOTE: When you create a user in Practice Protect then assign that user to the Role (i.e G Suite Administrator) that user will be provision (created) to its corresponding Destination Organizational Unit (OU) in G Suite once Synced.
  43. The next step below is to create a script if you have more than 1 alias, otherwise skip this step and proceed on Step no. 44.
    • On Provisioning, click Provisioning Script > scroll down until you reach line 30.
    • Uncomment the line 30 to line 43 to enable the script. To do this, remove the /* characters on line 30 and remove the characters */ on line 43. Replace ProxyAddresses (in Yellow) with Proxy_Addresses
    • Click Save to save the script.
    • The script should look like on the below screenshot.
    • Go to Settings > Customization > Additional Attributes > Click Add. On Additional Attribute page Enter Proxy_Addresses on the Name field then select Text on the Type Click Add.
    • You are now ready to add the additional aliases for the users if necessary.
    • Go to Users > Click on the desired user > Additional Attributes > Add the additional alias on Proxy_Addresses value. Make sure to separate the aliases by a comma (,) i.e. mytest@cbpaccountants.com, mytest1@cbpaccountants.com
    • Click Save.
  44. Once provisioning script for additional Aliases is created, we need to schedule Synchronization.
  45. Go to Settings > Users > Outbound Provisioning > Tick the box beside Run synchronization daily for all enabled applications > On Sync Start Time (UTC / local time), select the desired time of synchronization. Click Save.
  46. This completes the setup of G Suites SAML with Provisioning in Practice Protect.
  47. You can run a manual synchronization. Go to Provisioning Enabled Application –> Select Office 365, then Click on Start Sync.
  48. You can view the real time status of synchronization by clicking on View Syncrhonization Job Status and Reports. Once the Synchronization completes any changes in Practice Protect Online will reflect in G Suite.
  49. Test by logging in to any G suite apps (gmail, drive, etc.). Type the Email then Click Next. The page will redirect to Practice Protect login. You will have to use the practice protect credentials to login to your G Suite Apps.
Updated on June 4, 2021

Related Articles