Google Workspace SAML
Learn how to configure a connection to Google Workspace via SAML.
Introduction
Each SSO Identity Provider requires specific information to create and configure a new connection. Often, the information required to create a connection will differ by Identity Provider.
To create a Google SAML connection, you’ll need:
the ACS URL (provided by Daito)
a SP Entity ID (provided by Datio),
Admin-level access to your Google Workspace subscription,
an IdP Metadata URL (can be found in your Google Workspace subscription settings).
Start by logging into Daito and selecting “Settings”, then "SAML SSO" from the left hand navigation bar.
Select “Google Workspace” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
What Daito provides
Daito provides the ACS URL and the SP Entity ID. It’s readily available in your connection settings.
The ACS URL (Assertion Consumer Service URL) is the location an Identity Provider redirects its authentication response to. In Google’s case, it needs to be set by the organization when configuring your application in their Google admin dashboard.
The SP Entity ID (Service Provider Entity ID) is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the entity ID is used to communicate that Daito, more specifically, your Daito organization, will be the party performing SAML requests to the organization's Google instance.
Specifically, the ACS URL will need to be set as the “ACS URL” and the SP Entity ID will need to be set as the “Entity ID” in the “Service Provider Details” step of the Google SAML setup.
What you’ll need
In order to integrate you’ll need the metadata XML file from Google.
Normally, this information will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their Google admin dashboard. But, should that not be the case during your setup, here’s how to obtain it.
Log in
Log in to the Google Admin dashboard, select “Apps” from the sidebar menu, and then select “Web and Mobile Apps” from the following list. If your application is already created, select it from the list of applications and move to Step 7. If you haven’t created a SAML application, select “Add App” and then “Add custom SAML app”.
Enter Your App’s Information
Give the app a descriptive name and upload an icon, if applicable. Click “Continue”.
Obtain Identity Provider Details
Select the “Download Metadata” button to download the metadata file. Save this file, as you’ll upload it Daito in Step 7. Click “Continue”.
Enter Service Provider Details
Copy and the “ACS URL” from the Daito settings and paste it into the “ACS URL” field, and copy the “SP Entity ID” from your Daito settings and paste it into the “Entity ID” field in the Google SAML “Service provider details” modal. Select “Continue.”
Configure Attribute Mapping
This mapping maps field names in the Google Workspace directory to field names in Daito. If you configure them wrong you'll receive errors about incorrect "claim mapping".
Make sure to map as follows:
Primary email -> email
First name -> first_name
Last name -> last_name
Configure User Access
In the created SAML app’s landing page, select the “User Access Section”.
Turn this service ON for the correct organizational units in your Google Directory setup. Save any changes.
Google may take up to 24 hours to propagate these changes. The connection to Daito will be inactive until then.
Upload Metadata File
If you haven’t already downloaded the metadata file, select your SAML application, and click “Download Metadata”. In the modal, again click “Download Metadata”.
In the connection settings in Daito, click “Idp Metadata XML File”.
In the modal, upload the Google Metadata file and save. Make sure to click "Create SAML SSO Configuration" to save your setup.
Enable your Google Workspace SAML configuration
Your SAML configuration(s) will be disabled by default and need to be explicitly enabled. Make sure to do this after finishing the configuration.
Login to Daito via SAML SSO
With SAML SSO configured and enabled, perform the first login via SAML SSO. There are two options for this:
Go to https://app.daito.io/login and click on "Login with SSO", or
Go to https://<yourteamslug>.daito.io/sso and login
Then choose your account, login via your identity provider and you are in.