How to implement SAML based SSO using Google Workspace

This tutorial explains how to implement SAML-based SSO using Google Workspace.
This is an SSO using SAML authentication, with Google Workspace as the IdP and Kuroco as the SP.

Prerequisites

It is required that you have a Google Workspace account.

Add SP settings on Kuruco management page.

First of all, add SP settings on Kuroco's management page.

1. Access SSO SAML SP setting page
Refer to SSO SAML SP edit to access the SAML SP edit page.

2. Add SP setting
Input the followings in SSO SAML SP edit page and click [Add] button.

  • Login SAML SP Name: your preferred name.
  • Entity ID: your preferred ID.
  • Enable: Uncheck it.
  • (For API) Generate grant token: Select and check the desired ones.
  • Automatically Register User:Check it.
  • Allow IDP Initiated Flow: Check it.

Image (fetched from Gyazo)

Created SP is added on the SSO SAML SP list page.
Image (fetched from Gyazo)

3. Check the SP settings detail
From the SSO SAML SP list page, click [Login SAML SP Name] of the one which you have just added.
Image (fetched from Gyazo)

Check and copy [Login SAML SP ACS URI] and [Entity Id] on the editing page since it will be required in the next step in Google Workspace management page.
Image (fetched from Gyazo)

Google Workspace management page setting

Next is the SAML integration setting on Google Workspace management page.

  • Make sure to login with Google Workspace admin account for the following procedures.
  • The screen may change depending on Google specification.

1. Access the Apps settings page from Google Workspace admin page
Click [Apps] on the admin page. Image (fetched from Gyazo)

2. Access SAML apps setting page
Click [SAML apps].
Image (fetched from Gyazo)

3. Add SAML apps
Click [Add App]->[Add custom SAML app].
Image (fetched from Gyazo)

4. Create custom app
Input the followings and click [continue].

  • App name
  • App icon

Image (fetched from Gyazo)

5. Download IdP information
Click [DOWNLOAD METADATA] to download the IdP metadata.
Image (fetched from Gyazo)

Click [CONTINUE] after the download is completed. Image (fetched from Gyazo)

6. Input the SP information
Input the following information:

  • ACS URL: Paste "Login SAML SP ACS URI" which you copied on Kuroco management page at step 3.
  • Entity ID: Paste "Entity ID" which you copied on Kuroco management page at step 3.
  • Start URL: the URL after login such as /sample.
  • Signed response: Check it.
  • Name ID format: Select "EMAIL".
  • Name ID: Select "Basic Information > Primary Email".

Image (fetched from Gyazo)

Click [CONTINUE] once completed.

7. Setup the mapping information
Click [ADD MAPPING]. Image (fetched from Gyazo)

Setup the followings:

  • Basic Information / Last name:name1
  • Basic Information / First name:name2

Image (fetched from Gyazo)

Click [FINISH] once completed.

Custom SAML app has been created. Image (fetched from Gyazo)

8. Change the user access to "ON"
The user access is OFF by default, so change it to ON.
Click the arrow of [User access]. Image (fetched from Gyazo)

Select "ON for everyone" on the service status page and click [SAVE]. Image (fetched from Gyazo)

Google Workspace setup has been completed.

Setup IdP information on the SP edit page on Kuruco management page.

On Kuroco's management page, access the SSO SAML SP editpage. Image (fetched from Gyazo)

Upload the XML file of IdP information which you downloaded on step [Google Workspace management page setting -> 5. Download IdP information] and check [Enable].
Image (fetched from Gyazo)

Click [Update] after the setup is completed. The configuration is now complete.
Image (fetched from Gyazo)

How to use

Check the created SAML SP page.
Click [Login SAML SP Name] of the SP configuration which you have created on the SSO SAML SP list page. Image (fetched from Gyazo)

You can find [Login SAML SP ACS URI]. Image (fetched from Gyazo)

Click the URL and it links to the Google login page. Image (fetched from Gyazo)

You can use SAML login here.