Identity Providers
      Back to home
      1. Support Center
      2. Safous ZTA Admin Guide
      3. Identity Providers

      [ZTA] How to work with Google workspace SAML

      This article will help you on how to integrate Google Workspace into Safous ZTNA service as the external Identity Provider for authentication. 

      Prerequisites

      • You have account in Google Workspace with Admin privilege

      Get Identity Provider Data in Google Workspace

      1. Login to your Google Workspace portal https://admin.google.com/
      2. Go to Apps > Web and mobile apps

      3. Click on Add app and choose Add custom SAML app
      4. Input the App name, which is the required value. You also can add detail description and change the app icon if you want. Then click Continue
      5. It will open the detail about IdP metadata that is provided by Google Workspace


      Configure Google Workspace as Identity Provider in Safous Admin Portal

      1. Go to Settings > ZTNA > Configurations > Identity Provider then click on the New IdP button.
      2. Fill in the name and ensure that the status of the IdP is enabled (green).
      3. Ensure you are choosing the SAML for the identity provider setting
      4. Fill in the Entity Issuer field with a name that will be used in Google Workspace later on and take note of it.
      5. Fill in the Entity ID that you take notes previously from Google Workspace in SSO Issuer field.
      6. Fill in the SSO URL that you take notes previously from Google Workspace in SSO Url field.
      7. Fill in the Certificate that you take notes previously from Google Workspace in CA Trusted Certificate field.
      8. Fill in email as the value for required Username Attribute field.
      9. Fill in email as the value for required Email attribute field.
      10. For the rest of Safous ZTA SAML configuration please refer to this article.
      11. Once you are done with the configuration, click Save.
      12. Once saved, you need to copy the value of Redirect URI generated by Safous.



      Configure Safous as SAML App in Google Workspace

      1. Go back Google Workspace, then click Continue

      2. Fill in the Redirect URI that you take notes previously from Google Workspace in ACS URL field.
      3. Fill in the Entity Issuer that you take notes previously from Google Workspace in Entity ID field.
      4. Change the Name ID Format into "EMAIL"
      5. Click Continue

      6. Add Mapping in the Attribute

      7. For Google Directory Attribute, choose "Primary email"
      8.  For App attributetype "email"
      9. Click FINISH

      10. Once created, it will redirect you to the App page that you created.
      11. In User access click "Expand user access"
      12. You will be taken to the settings page for the app you just created. Make sure to select the option to enable access for everyone, and then click "SAVE" to apply your changes.
      13. If everything is configured correctly, you can log in to the user portal (https://login.<tenant>.ztna.safous.com) and choose to log in With IdP, where you will see the option to continue with your integrated Google Workspace SAML IdP.