This article will help you on how to integrate Google Workspace into Safous ZTNA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:
- Know the basic information about Safous ZTNA SAML configuration in here.
- Have account in Google Workspace with Admin privilege
The steps need to applied in both ends (Google and Safous), so ensure you are already logged-in on both admin portal page and proceed with following these steps:
- Login to your Google Workspace portal https://admin.google.com/
- Go to Apps > Web and mobile apps
- Click on Add app and choose Add custom SAML app
- Input the App name, which is the required value. You also can add detail description and changed the app icon if you want. Then click Continue
- It will open the detail about IdP metadata that provided by Google Workspace
- login to https://portal.safous.com
- Go to Settings tab> ZTNA
- In Configurations, choose Identity Provider
- It will open the list of identity providers that have been integrated, by default it only has local
- Click on New IDP, which it will expand the form of IDP
- Input the name and ensure the status is enable (green)
- Ensure you are choosing the SAML for the identity provider setting
- Input Entity Issuer with name that will be used in Google Workspace later on
- Input SSO Issuer with the value of Entity ID that you can find in steps number 5
- Input SSO URL with he value of SSO URL that you can find in steps number 5
- Input email as a value in Username Attribute field
- Input email as a value in Email Attribute field
- Input CA TrustedCertificate field with Certificate that you can find in steps number 5
- The rest of Safous ZTNA SAML configuration please refer to here.
- Once you done with the configuration, click "Save"
- Once saved, you need to expand the IdP to get the Redirect URI
- Go back Google Workspace, then click Continue
- Fill value of ACS URL with the value from Redirect URI in step number 21
- Fill value of Entity ID with the value of Entity Issuer in step number 13
- Change the Name ID Format into "EMAIL"
- Click Continue
- Add Mapping in the Attribute
- For Google Directory Attribute, choose "Primary email"
- For App attribute, type "email"
- Click FINISH
- Once created, it will redirect you to the App page that you created, in User access click "Expand user access"
- It will redirect you to another page setting of App that you created, ensure to choose ON for everyone and then click "SAVE"
- If everything correctly configured, you can login to the user portal https://users.<xxxx>.ztna.safous.com and check "With IdP", which you will see your SAML configuration