- Getting Started
- Recommended Integration & Registration Flow
- Admin Console Overview
- User Onboarding and Management
- User Registration and Login
- Enterprise Applications
- Microsoft Integration
- Installing TraitWare PAM Module for SSH and SFTP
Google Workspace SAML Integration
Posted on April 9, 2024
Contents
- What you need from TraitWare
- Setting up TraitWare
- Adding SAML Application
- Turning on application access for a user
- Setting up your service
- Manage Users Assigned to TraitWare vs. Google Sign In
Getting Started
Both TraitWare and Google Workspace require certain information to be able to communicate securely with each other.
What You Need From G Suite
- At least a paid Basic plan ($6/user/month)
- Your Organization (the primary domain on your Google Workspace Account ex: business.com)
- A Super Admin Account that is separate from any of your user accounts. The Super Admin Account will not be protected by SSO per Google’s permanent settings.
What You Need From TraitWare
You will obtain the following when you create your TraitWare application.
- SAML Endpoint/Sign-in URL
- Public Verification Certificate
Setting Up TraitWare
In order for TraitWare to communicate with Google, an application will need to be created. Once you have access from TraitWare, navigate to https://admin.traitware.com and use your TraitWare app to sign in.
If you do not have access to login to https://admin.traitware.com, please setup a trial account, or contact us at support@traitware.com
Adding a SAML Application
Create Signing Key
Select Signing Keys. Then select Generate new Key Pair.
Input Display Name, in this case we used the application name, Google. Select the lifetime and click Generate Key.
Create Application
Select Applications in the menu on the left. Select Add Application to add a new application.
Select SAML as your Application Type.
Enter an Application Name that will make sense when you see it (ex: Google Workspace TraitWare). Choose Use a Template.
Select Google Workspace.
Enter your Google domain. In this example we used twmfa.net. Click Submit.
Click Applications. Select the newly-created Google Workspace application.
Click SAML Configuration.
Click Edit Signing Key.
Select the Google Signing Key created earlier.
Select the Provider Credentials tab. Click the Download PEM for the TraitWare IdP Public Certificate (PEM).
Note: if domain-specific issuer is not checked for SSO in Google Workspace, the user will not be able to log in with TraitWare.
Turning on Application Access for User
Select Users from the menu on the left. Select a user. Select the Applications tab.
Find the Google Workspace Application name under Applications, and select the application to enable access for that user.
Setting Up Google Workspace
Navigate to admin.google.com and sign in using the Super Admin account. On the home page, select the Security app.
Select SSO with third party IdP.
Navigate to the lower section Setup SSO with a third party identity provider, and fill in the information provided by TraitWare above.
For the Sign-in Page URL, navigate to the your Google Workspace application in the TraitWare console. Click the copy button next to the SAML Login Endpoint (Standard Option).
Check the Use a domain specific issuer box. When finished click Save.
- If you would like to limit the network which SSO is required, fill in the Network masks, otherwise, all networks will be required to use SSO.
- Select SAVE once you have completed the above
Manage Users Assigned to TraitWare vs. Google Sign In
Google Workspace allows the administrator to assign 3rd Party IdP access to organizational units or selected groups within a Workspace domain. This is useful when there is a desire to allow existing username and password access for some users within the domain and also requiring TraitWare for others. An example would be some schools would require stricter access standards for faculty than students despite both being under the same domain.
Navigate to Security > SSO with third party IdP.Scroll down to Manage SSO profile assignments and select Manage.
From here, you can select groups or organizational units that can either sign in using the previously-configured TraitWare SSO profile under Organization’s third-party SSO profile or can use Google’s existing sign in by selecting None.
Additional Information
If you do not see an application in the dropdown list during the Application setup, you can fill in the fields with your generic information. If you have issues, please contact us at support@traitware.com, and we will work with you to see if the application can be added.