Skip to main content
Skip table of contents

Google Workspace - SAML integration

This guide explains how to configure a SAML 2.0 integration between Google Workspace (acting as a SAML Service Provider) and TrustBuilder MFA (acting as the Identity Provider).

Prerequisites

  • Google Workspace admin access

  • TrustBuilder MFA admin access

Step 1: Configure TrustBuilder MFA as the Identity Provider (IdP)

  1. Login to your TrustBuilder admin console.

  2. Navigate to the Secure Sites tab.

  3. Under Connectors, click on Add Connector and select SAML 2.0.

  4. Name the connector and click Add to create it.

  5. Click on ”Download the Idp SAML 2.0 certificate” to save TrustBuilder certificate. You will need it later in Google configuration.

  6. Keep this connector window open. You will need to copy/paste the Issuer URL, Single Sign On URL and Single Logout Service URL for later use.

Step 2: Configure Google Workspace as the Service Provider (SP)

  1. Login to your Google Workspace admin console.

  2. Navigate to Security > Authentication > SSO with third-party IdP > Add SAML Profile.

  3. In the IDP Details section, fill in the information from TrustBuilder connector:

    • IDP Entity ID: copy/paste the Issuer URL from TrustBuilder MFA - see Step1. 6

    • Sign-in page URL: copy/paste the SSO URL from TrustBuilder MFA - see Step1. 6

    • Sign-out page URL: copy/paste the Single Logout URL from TrustBuilder MFA - see Step1. 6

  4. Upload the TrustBuilder IdP certificate that you previously downloaded.

Step 3: Retrieve Google Workspace (SP) metadata

To allow Google Workspace and TrustBuilder to communicate, you should generate the SAML metadata for Google Workspace (the SP) and provide them to TrustBuilder (the IdP).

Google does not automatically provide a metadata XML file, so you must create one manually.

  1. From the Google Workspace admin console, copy the following details for later use:

    • Entity ID: https://accounts.google.com/samlrp/XXXXXXXXXXXX

    • ACS URL: https://accounts.google.com/samlrp/XXXXXXXXXXXX/acs

    • Generate a certificate and copy it.

  2. Download the following XML file example to match your environment. → Download the SP metadata sample file.

  3. Modify the SP metadata sample XML file. Make sur to replace the placeholders with the appropriate Google Workspace values:

    • entityID: use Google Entity ID URL

    • Location (2 times): use Google ACS URL

    • X509Certificate: copy and paste the SP certificate from Google

  4. Save the changes.

XML 
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/samlrp/XXXXXXXXXXXX">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>YOUR_GOOGLE_CERTIFICATE</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/samlrp/XXXXXXXXXXXX/acs"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/samlrp/XXXXXXXXXXXX/acs" index="0"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Step 5: Finalize TrustBuilder configuration

  1. From the TrustBuilder admin console, open the previously created SAML 2.0 connector.

  2. Paste the Google Workspace metadata into the required field and Update the connector.

  3. Configure the SAML attributes as follows:

    • NameID Format: Email address

    • NameID Value: User email

    • SAML Attributes:

      • Attribute Key: mail

      • Attribute Value: User email

  4. Update and save the connector.

Step 6: Assign TrustBuilder MFA to a user group or organization in Google Workspace

  1. From the Google Workspace admin console, navigate to SSO with third-party IdP > Manage SSO Profile > Manage.

  2. Select the user group or organization you want to assign TrustBuilder MFA to.

  3. Assign the TrustBuilder SSO profile to the selected group and the desired behavior.

Step 7: Test the Integration

  1. Create a user in the TrustBuilder admin console with the same email as in Google Workspace.

  2. Go to a Google service like Gmail or Google Sign-in page.
    Make sure no Google account is currently logged in. We recommend not using an incognito window.

  3. Enter the user's email address and click on Next.

  4. You should be redirected to the TrustBuilder authentication page for authentication.

  5. Complete the authentication using TrustBuilder MFA.

  6. After successful authentication, the user will be logged in to their Google Workspace account.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close