Streamline Google Login with Single Sign-On (SSO)

Learning Objectives

After completing this unit, you’ll be able to:

• Explain the different single sign-on (SSO) options.
  
• Use Secure Lightweight Directory Access Protocol (LDAP) to integrate LDAP-compliant applications.
  

Say Hello to Single Sign-On

With SSO, users only have to sign in once to access all of their Google services, redirecting them to an identity provider instead of requiring separate login credentials for each app. The following video walks you through the essential concepts and how SSO is used with Google Workspace.

Set Up SSO with Google as an Identity Provider

You can set up SSO using Google as the identity provider (IdP) using Security Assertion Markup Language (SAML). This enables the user to use their managed Google account credentials to sign in to enterprise cloud applications offered by other parties. You can establish SSO for your cloud applications through:

• Configuring one of over 200 third-party preintegrated cloud applications as your service provider (SP)
  

or

• Setting up your own custom SAML app for cloud applications that aren't in the preintegrated apps list
  

Let’s set up and enable SSO with enterprise cloud services for your organization with Google as the IdP.

1. Sign in to your domain as the administrator at admin.google.com. Before you look at the cloud applications that have already been configured to use Google as an IdP, let's take a look at the Security section.
   
2. Click the Security icon.
   
3. Scroll down and click Set up single sign-on (SSO) for SAML applications section.
   Note that there are two URLs: the SSO URL and an Entity ID URL. The SP requires these URLs, along with the Google certificate that is also shown on this page. The SP uses these Google URLs as a user authenticates to its service. The certificate is important as this is used to establish trust between Google and the SP.
   
4. Navigate to the Admin console's home page.
   
5. Click the Apps icon.
   
6. Then click the Web and mobile apps card.
   
7. Click Add App | Search for apps.
   From here you can locate a preintegrated app or you can set up your own custom app. The list of services shown represent the preintegrated cloud applications that have already been configured for SSO and just need some minor customization from you. When you click a service, you’re taken through a short setup wizard to activate SSO for that service within your organization. The setup wizards vary slightly from app to app, but as these are preintegrated apps, much of the information prepopulates for you.
   
8. Search for and select the 15Five (Web/SAML) app from the search results. Walk through the 15Five wizard. Notice how the first page populates with the SSO URL and the Entity ID URL together with the Certificate file that you saw in step 3.
   
9. Copy the URLs and download the certificate, as these must be added to the SP’s configuration later to complete the process. We won’t cover that here. You can review more about this step in Setting Up SSO.
   

Instead of copying the URLs and downloading the certificate file, you can download the IDP metadata file. This is an XML file that contains the URLs and the certificate bundled into one file.

10. Download the IDP metadata file and open it in a text editor so you can see the certificate and URLs. The idpId value in the URLs is ‌ your unique Google Workspace account number.
    
11. Click CONTINUE. There are three URLs at the top of the page. These are the SP URLs that are used by Google as part of the authentication process.
    
12. Click the Learn more link. This takes you to detailed setup instructions for this particular service.
    
13. Replace {yourdomain} with your Google Workspace domain name in each of the URLs.
    
14. Then, click FINISH.
    
15. Click CONTINUE, then click FINISH. This takes you to the 15Five service settings.
    
16. Return to the web and mobile apps list and see 15Five in the list. It should be OFF for everyone.
    
17. To complete the setup process, refer to the instructions specific to 15Five. These instructions can be found in the Learn more link and vary from app to app but are typically as follows:
    
    • Set up the app as the SP—Sign into the application console, upload the Google certificate, and complete the Entity ID and SSO URL values.
      
    • Enable the app in the Google Workspace admin console.
      
    • Verify SSO is working by logging in to the application. You should be redirected to the Google Workspace sign-in page. After your credentials are authenticated, you're redirected back to the application.
      
    • Now repeat Step 5, but this time choose Add App | Add custom SAML app and complete the details to add a fictitious app to your account. Note how the information required is the same, but nothing is prepopulated for you.
      

Provision Users

Some services support user provisioning, which allows the service provider to sync its user lists with your Google Workspace directory. Setup varies from service to service. You can find out more about user provisioning for each service in the Automated user provisioning article.

To enable SSO for one of the apps already identified by Google, your organization must have an account with that service.

Set Up SSO with a Third-Party Identity Provider

Let's continue learning about SSO and setting it up for managed Google accounts using a third-party IdP.

The following steps describe how to set up SSO with a third-party provider. You can explore the Help Center resources to further understand how to set up SSO using a third-party IdP.

1. Sign in to your domain as the administrator at admin.google.com.
   
2. Navigate to Security | Authentication | SSO with third-party IDPs.
   
3. Click ADD SAML PROFILE.
   
4. Complete the following URLs to your third-party Identity Provider (IdP). All URLs entered must use HTTPS:
   
   1. Sign-in page URL: The page where users sign in to your system and to Google
      
   2. Sign-out page URL: The page where users are redirected to after signing off
      
5. Create and upload the SAML key and verification certificate. The certificate file you upload must be an x.509 certificate with an embedded public key. The public key must exist so Google can verify sign-in requests by your users. Use OpenSSL to generate your certificate and keys.
   
6. Add your Network masks. These determine which addresses are affected by single sign-on. If no masks are specified, SSO functionality is applied to the entire network. See Network Mapping results for more details.
   
7. Change password URL. If you specify a Change password URL, it’s important to note that all users, other than super administrators, who try to change their password in your organization are directed to the URL you specify. This setting applies even if you don't enable SSO. Also, network masks don't apply.
   
8. If you are using G-Suite Password Sync (GSPS) to Sync password data with Active Directory, you can use Google Sites to create an internal web page that instructs users to change their device password instead of their Google password and enter the URL to that page into this field.
   
9. Click SAVE.
   

Keep in Mind

When you’re using a third-party IdP, the Require password change option on your user’s profile is disabled.

Only Chrome can verify that the certificate you upload is valid. Other browsers do not.

Administrators signing in to Google Workspace at admin.google.com aren’t redirected to the SSO sign-in page whether they are within or outside a network mask.

Explore Secure Lightweight Directory Access Protocol (LDAP)

Secure LDAP is a service that enables the use of the Google directory as an LDAP server for authentication, authorization, and directory lookups. The following video explains how it works.

Add an LDAP Client to Google Workspace

Let’s create and configure an LDAP client in your admin console.

1. Sign in to your domain as the administrator at admin.google.com.
   
2. Click the Apps icon.
   
3. Then click the LDAP card.
   
4. Click ADD LDAP CLIENT.
   
5. Enter an LDAP client name
   
   • You can add a description. You can also use the description to add contact details or to specify the owner of the application.
     
6. Click CONTINUE.
   
7. You must now configure the client’s permissions.
   
   • Access level for verifying a user’s credentials. You can grant the client access to the entire domain or to one or more organizational units or groups to verify a user’s credentials. When organizational units or groups are used, only users in those organizational units or groups will be allowed to sign in to the application.
     
   • Access level for reading user information. This setting specifies whether the client can access additional user information. This is useful where the client requests additional user details as part of the authentication process. You can choose to allow this for the entire domain or for one or more organizational units.
     
   • Specify whether the LDAP client can read group information. This setting specifies whether the LDAP client can read group details and check a user’s group memberships for purposes such as a user’s role in the application.
     
8. Set Verify user credentials to Entire domain.
   
9. Set Read user information to Entire domain.
   
10. Click ADD LDAP CLIENT. The service generates a certificate, which you upload to your LDAP client later. You can download the certificate now using the Download certificate link. You can also generate and download additional certificates at any time from the client’s details page.
    
11. Click CONTINUE TO CLIENT DETAILS.
    

This completes the first part of the configuration. For details on how to complete the setup for your particular LDAP client, see the Connect LDAP Clients to the Secure LDAP service article. There are some generic setup instructions here and specific instructions for popular applications. See Add and connect new LDAP clients for detailed instructions on how to connect your LDAP clients and applications to the Secure LDAP service.

In the next unit, you dive into application security.