Google Workspace IdP SSO setup instructions

SECURITY  Master role

Google Workspace is a comprehensive suite of tools and apps emphasizing identity and access management (IDP) capabilities for enhanced productivity and collaboration among teams. This article guides you through how to integrate KaseyaOne with Google Workspace IdP. After successful integration, users will be able to access KaseyaOne from the Google Workspace User Portal or from the KaseyaOne login page using Google Workspace credentials.

Supported features

  • IdP-initiated SSO

  • SP-initiated SSO

  • Just-in-time provisioning

Prerequisites

  • Master user account in KaseyaOne and Administrator account in Google Workspace

  • Users must have the same email address in KaseyaOne and Google Workspace

Before starting, it is recommended that you open two tabs in your browser — one for KaseyaOne and one for the Google Workspace Admin Portal.

  1. Open a browser and log in to KaseyaOne.

  2. In a separate browser tab, log in to the Google Workspace Admin Portal as a system administrator.

  3. Create the custom attribute field, companyIdentifier, as follows:

    NOTE  This companyIdentifier custom attribute is required to configure the KaseyaOne application in Google Workspace — Steps 4-9 in this procedure describe how to create and configure the KaseyaOne application in Google Workspace. You must also assign the companyIdentifier to each user who will use the KaseyaOne application in Google Workspace — refer to Step 10.

    1. Navigate to Directory > Users on the left navigation menu.

    2. Click More Options and select Manage custom attributes.

    3. Click Add Custom Attribute.

    4. On the Add custom fields form, do the following: 

      • Category. Enter KaseyaOne.

      • (Optional) Description. Enter Company Identifier for KaseyaOne.

      • Define the following under Custom fields:

        - Name: Enter companyIdentifier.
        - Info type: Select Text from the drop-down.
        - Visibility: Select Visible to user and admin from the drop-down.
        - No. of values: Select Single Value from the drop-down.

      • Click Add and the custom attribute, companyIdentifier, is created.

        NOTE  This companyIdentifier custom attribute is required to configure the KaseyaOne application in Google Workspace — the remaining steps in this procedure describe how to create and configure the KaseyaOne application in Google Workspace. You must also assign the KaseyaOne Company Identifier to each user who will use the KaseyaOne application in Google Workspace — refer to Step 10.

  4. Click Apps > Web and mobile apps on the left navigation menu.

  5. Click Add app and select Add custom SAML app.

  6. Enter the following App details and then click Continue:

    • App name. Enter KaseyaOne as the application name.

    • (Optional) Description. Enter a description for the application.

    • (Optional) App icon. Attach an app icon if required.

  7. Copy the Google Identifier details on the next screen as follows:

    1. Copy the SSO URL field value and do the following: 

      • Go to the KaseyaOne tab in your browser.

      • Navigate to the Admin Settings > Third-Party IdP view.

      • Paste the value into the Identity Provider Single Sign-On URL field.

    2. Copy the Entity ID field value and do the following: 

      • Go to the KaseyaOne tab in your browser.

      • Navigate to the Admin Settings > Third-Party IdP view.

      • Paste the value into the Identity Provider Issuer field.

    3. Download the certificate - click the drop-down arrow to download the certificate to your local drive.

    4. Click Continue.

  8. Enter the following Service Provider details:

    • ACS URL: Enter the URL: https://api-one.kaseya.com/api/v1/sso/saml-callback

    • Entity ID: Enter the URL: https://one.kaseya.com

    • Select the Signed response check box.

    • Select EMAIL in the Name ID format field.

    • Click Continue.

  9. Click Add Mapping and specify the following attribute mapping:

    • Attribute 1:
      Google Directory attribute: First name
      App attributes: firstname

    • Attribute 2:
      Google Directory attribute: Last name
      App attributes: lastname

    • Attribute 3:
      Google Directory attribute: Primary email
      App attributes: email

    • Attribute 4:
      Google Directory attribute: Primary email
      App attributes: username

    • Attribute 5:
      Google Directory attribute: companyIdentifier
      App attributes: companyIdentifier

    • (Optional) Attribute 6: Map Group membership. Groups must already be created in Google Workspace.
      Google groups: Admins (for example)
      App attribute: securityGroups

  10. Assign the KaseyaOne Company Identifier to each user who will use the KaseyaOne application in Google Workspace:

    1. Click Directory > Users on the left navigation menu and select a user record to open it.

    2. Select User Information.

    3. Scroll down to the KaseyaOne companyIdentifier field, enter the KaseyaOne Company Identifier and click Save.

      To obtain this identifier: 

      • Go to the KaseyaOne tab in your browser, navigate to the Admin Settings > Third-Party IdP view and copy the Company Identifier field value.

        Example 1: <8000000-00000-0000-00000000-00000000-0000-0000-0000-000000000000>

        Example 2: <Organization-8000000-00000-0000-00000000-00000000-0000-0000-0000-000000000000>

      • Go back to the Google Workspace tab in your browser and paste the value in the corresponding field.

    Repeat this step for all users.

  1. Go to the KaseyaOne tab in your browser.

  2. Navigate to the Admin Settings > Third-Party IdP view.

  3. In the Single Sign-On section, upload the Google Workspace IdP certificate that you downloaded in Step 1, #7c.

  4. Turn on the Enable Single Sign-On via SAML toggle to enable SSO integration.

  1. Go back to the Google Workspace tab in your browser.

  2. Click Apps > Web and mobile apps on the left navigation menu.

  3. Open the KaseyaOne SSO application and select User access.

  4. Under Service status, select the ON for everyone option and click Save.

  5. To assign a group, select the group under Groups in the side panel, select the Service status check box to turn on the service for the group and then click Save.

    NOTE   Users assigned must have the same email address in Google Workspace and KaseyaOne.

You can test your Google Workspace integration by logging in from either Google Workspace (IdP-initiated login) or the KaseyaOne login page (SP-initiated login).

  1. Log out of KaseyaOne.

  2. Go back to the Google Workspace tab in your browser.

  3. Open the KaseyaOne SSO application and click Test SAML Login in the side panel.

  4. Verify that you are redirected to and logged in to KaseyaOne.

  1. Log out of KaseyaOne.

  2. Log back in to KaseyaOne as follows: 

    • Enter the Username and Company Name for your account and click Next.

    • Click Log In with Single Sign-On.

  3. If already logged in to Google Workspace (if you have an active browser session), verify that you are redirected to and logged in to KaseyaOne.

  4. If not already logged in to Google Workspace:

    • You will be redirected to the Google Workspace login page — enter your credentials and complete the user login process.

    • Verify that you are redirected to and logged in to KaseyaOne.