1. Home
  2. Applications
  3. Google G Suite
  4. Setup Google Workspace SAML with Provisioning (Guide)

Setup Google Workspace SAML with Provisioning (Guide)


With Practice Protect as your identity service, you can choose single-sign-on (SSO) access to the Google Workspace web application with IdP-initiated SAML SSO (for SSO access through the Practice Protect user portal) or SP-initiated SAML SSO (for SSO access directly through the Google Workspace web application) or both. Providing both methods gives you and your users maximum flexibility.

It also has an option to enable provisioning. With provisioning enabled, it allows Practice Protect to manage user in terms of account creation and user info update. Thus giving you central management of your employee’s access to Google Apps.


The following will be required to complete this process.

  • System Administrator access to Practice Protect Portal
  • Google Workspace business subscription accounts (Starter, Standard or Plus)
  • Super Admin rights on Google Workspace (must not be a regular account).
  • A domain registered and verified on Google Workspace.


  1. Open 3 separate browser tabs and access the URL’s below. You will use the below URL’s side by side during the setup:
  2. Login to Practice Protect using an Admin Account. Once logged in, Switch to Admin Portal. You will be routed to the admin portal page.
  3. On Practice Protect Admin Portal, click on Roles > Click Add Role > On the Name field, enter the desired Role name. i.e. Google Workspace Users. Click Save.
  4. Click on Members > Click Add > search for the desired user to be added on this role (i.e. andy.dufresne@cbpaccountants.com) > Click Save.
  5. Next step is to add the Google Workspace SAML app. Proceed to Apps > Add Web Apps
  6. On Add Web Apps catalog, type Google Workspace on the search field and press enter > select Google Workspace (SAML + Provisioning) > then Click Add > Click Yes to Confirm > Click Close.
  7. Google Workspace is now added on the list of apps. On Settings, enter the Primary Domain in the Your Primary Domain in Google Workspace field. Click Save.
  8. Go to Trust > On Identity Provider Configuration, select Manual Configuration > On Signing Certificate, Click Download to download the certificate to your local drive. Copy the Sign-in page URL and Sign-out page URL and paste it on notepad temporarily. You will use these (certificate, sign-in and sign-out URL) data on the SSO configuration in G Workspace later.
  9. Scroll down and go to Service Provider Configuration > select Manual Configuration > On Recipient, tick the box Same as ACS URL. Leave the others as default then click Save.
  10. Going down to the SAML Response settings.  On the Custom Logic, remove line 8 and replace it with the following and Save.
    var Relay = 'https://workspace.google.com/dashboard';
  11. Click on Permissions > Click Add > On Select Role, search for the role created earlier (i.e. Google Workspace Users). Members of these roles will have access to the Google Workspace App. Click Add then, click Save.
  12. Once saved, the application status will change from Ready to deploy to Deployed.
  13. On a separate browser tab, login to Google Admin page. On the left navigation menu, go to Security > Authentication > SSO with third party IdP.
  14. On that SSO setting page, tick the box Setup SSO with third-party identity provider. On Sign-in page URL and Sign-out page URL field, paste the corresponding URL (step no. 13). On Verification certificate, upload the certificate that was downloaded (step no. 13). On Change password URL field, paste your Tenant URL (i.e. https://yourtenantdomain.id.cyberark.cloud/). Leave the other settings as default then Click Save.Note: if you don’t want to enable or redirect the users to Practice Protect login yet, switch off SSO with third party Identity provider and switch on whenever ready. Configuration will remain set. 
  15. The next step is to enable provisioning for Google Workspace. With provisioning enabled, you allow Practice Protect to manage users. This allows you to automatically provision Google Workspace application for users in Practice Protect. Before configuring the Google Workspace application for provisioning, you must add, configure, and deploy the app on Google Developer Console.
  16. Login to Google Developer Console using the Super Admin Account.
  17. On Select a Project menu click on Create project

  18. Enter the name on the Project name field (i.e. PP Google Workspace SAML) and Click Create. The project dashboard opens automatically after you create it.
  19. You need to enable API  AND SERVICES access and create credentials to access those APIs before you can use auto provisioning. From the Dashboard, click on ENABLE APIS AND SERVICES.
  20. On the API Library, search for Admin SDK API and click ENABLE.
  21. On APIs & Services, click on OAuth consent screen. Do not select any User Type and click Create.
  22. After creating, add the following and select SAVE and CONTINUE.
     – App Name: Practice Protect
    User support email: super admin account email
    Developer contact information: super admin account email
  23. Once done, proceed on Credentials > Create Credentials and choose OAuth client ID
  24. Choose Desktop app on the Application Type. Then, enter the desired name of OAuth client (i.e. PP Google Workspace Auth) and hit Create. This creates unique client ID and secret key for authorization. 
    This completes the API enablement in G-Suite. The next step is configure auto provisioning in Practice Protect.
  25. Return to Practice Protect Admin Portal and on the Web Apps, find and click the app “Google Workspace” that was created on Step 6.
  26. Within the app menu, select Provisioning and then tick the box “Enable provisioning for this application”. This reveals the configuration settings that requires to be setup.
  27. In order to proceed, make sure that Live Mode is selected and click Authorize. This will prompt you to login on Google Workspace. Use the Super Admin account credential.
  28. Click ALLOW to authorize Practice Protect Identity Service to provision users. It will notify you once authorization is successful. 
    Note: If the rest of configuration settings are still not loading even after a successful authorization, just refresh the page where provisioning settings is open. 
  29. On Sync Options, tick the box of the following:
    – Sync (overwrite) users to target application when existing users are found with the same principal name.
    Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role.
    User Deprovisioning Options: Disable user
    – Deprovision (deactivate or delete) users in this application when they are disabled in the source directory
    Below are the options on how you want Practice Protect Identity platform handles the situation when it determines that the user already has an account in the target application.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the Practice Protect Identity Service).
    • Do not sync (no overwrite): Keeps the target user account as it is; Practice Protect Identity Service skips and does not update duplicate user accounts in the target application.
    • Do not de-provision (deactivate or delete): The user’s account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
    • Select Deprovision users in this application when they are disabled in source directory to enable the feature. If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.
  30. Scroll down to Role Mapping  and click Add. New pop-up setting will show up (Role mapping).
    – Role field, select the role that was created from Step no. 3 (i.e Google Workspace Users).
    – Destination Organizational Unit field, select the OU that corresponds to the created Role in Google Workspace(i.e /Administrator). Otherwise select “/” for all.
    – Destination Domain/Group select the desired domain if you have more than 1 domain. Otherwise leave blank.

    This is how you can also map a Group from Google Workspace and that is by creating equivalent Role in Practice Protect, assign the members then map it on the Role Mapping Provisioning Settings. 
  31. Hit Done to apply.
  32. Repeat Step no. 41 for the other role created from Step no. 9 (i.e. G Suite CBP Regular Users). Select its corresponding OU in G Suite. Click Save. Once done, Role Mapping should show similar to the screenshot below.**NOTE: When you create a user in Practice Protect then assign that user to the Role (i.e G Suite Administrator) that user will be provision (created) to its corresponding Destination Organizational Unit (OU) in G Suite once Synced.
  33. The next step below is to create a script if you have more than 1 alias, otherwise skip this step and proceed on Step no. 44.
    • On Provisioning, click Provisioning Script > scroll down until you reach line 30.
    • Uncomment the line 30 to line 43 to enable the script. To do this, remove the /* characters on line 30 and remove the characters */ on line 43. Replace ProxyAddresses (in Yellow) with Proxy_Addresses
    • Click Save to save the script.
    • The script should look like on the below screenshot.
    • Go to Settings > Customization > Additional Attributes > Click Add. On Additional Attribute page Enter Proxy_Addresses on the Name field then select Text on the Type Click Add.
    • You are now ready to add the additional aliases for the users if necessary.
    • Go to Users > Click on the desired user > Additional Attributes > Add the additional alias on Proxy_Addresses value. Make sure to separate the aliases by a comma (,) i.e. mytest@cbpaccountants.com, mytest1@cbpaccountants.com
    • Click Save.
  34. Once provisioning script for additional Aliases is created, we need to schedule Synchronization.
  35. Go to Settings > Users > Outbound Provisioning > Tick the box beside Run synchronization daily for all enabled applications > On Sync Start Time (UTC / local time), select the desired time of synchronization. Click Save.
  36. This completes the setup of G Suites SAML with Provisioning in Practice Protect.
  37. You can run a manual synchronization. Go to Provisioning Enabled Application –> Select Office 365, then Click on Start Sync.
  38. You can view the real time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization completes any changes in Practice Protect Online will reflect in G Suite.
  39. Test by logging in to any G suite apps (gmail, drive, etc.). Type the Email then Click Next. The page will redirect to Practice Protect login. You will have to use the practice protect credentials to login to your G Suite Apps.
Updated on November 22, 2022

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support