Google Workspace SAML

Learn how to configure a connection to Google Workspace via SAML.

Introduction

Each SSO Identity Provider requires specific information to create and configure a new connection. Often, the information required to create a connection will differ by Identity Provider.

To create a Google SAML connection, you’ll need:

  • the ACS URL (provided by Daito)

  • a SP Entity ID (provided by Datio),

  • Admin-level access to your Google Workspace subscription,

  • an IdP Metadata URL (can be found in your Google Workspace subscription settings).

Start by logging into Daito and selecting “Settings”, then "SAML SSO" from the left hand navigation bar.

Daito 2FA Google SSOSelect “Google Workspace” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.

What Daito provides

Daito provides the ACS URL and the SP Entity ID. It’s readily available in your connection settings.

Daito 2FA Google SSOThe ACS URL (Assertion Consumer Service URL) is the location an Identity Provider redirects its authentication response to. In Google’s case, it needs to be set by the organization when configuring your application in their Google admin dashboard.

The SP Entity ID (Service Provider Entity ID) is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the entity ID is used to communicate that Daito, more specifically, your Daito organization, will be the party performing SAML requests to the organization's Google instance.

Specifically, the ACS URL will need to be set as the “ACS URL” and the SP Entity ID will need to be set as the “Entity ID” in the “Service Provider Details” step of the Google SAML setup.

What you’ll need

In order to integrate you’ll need the metadata XML file from Google.

Normally, this information will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their Google admin dashboard. But, should that not be the case during your setup, here’s how to obtain it.

Log in

Log in to the Google Admin dashboard, select “Apps” from the sidebar menu, and then select “Web and Mobile Apps” from the following list. If your application is already created, select it from the list of applications and move to Step 7. If you haven’t created a SAML application, select “Add App” and then “Add custom SAML app”.

Google Admin SSOEnter Your App’s Information

Give the app a descriptive name and upload an icon, if applicable. Click “Continue”.

Obtain Identity Provider Details

Select the “Download Metadata” button to download the metadata file. Save this file, as you’ll upload it Daito in Step 7. Click “Continue”.

Google custom saml appEnter Service Provider Details

Copy and the “ACS URL” from the Daito settings and paste it into the “ACS URL” field, and copy the “SP Entity ID” from your Daito settings and paste it into the “Entity ID” field in the Google SAML “Service provider details” modal. Select “Continue.”

Google add custom smal appConfigure Attribute Mapping

This mapping maps field names in the Google Workspace directory to field names in Daito. If you configure them wrong you'll receive errors about incorrect "claim mapping".

Make sure to map as follows:

  • Primary email -> email

  • First name -> first_name

  • Last name -> last_name

Google add custom saml appConfigure User Access

In the created SAML app’s landing page, select the “User Access Section”.

Turn this service ON for the correct organizational units in your Google Directory setup. Save any changes.

Google may take up to 24 hours to propagate these changes. The connection to Daito will be inactive until then.

Google Daito SamlUpload Metadata File

If you haven’t already downloaded the metadata file, select your SAML application, and click “Download Metadata”. In the modal, again click “Download Metadata”.

In the connection settings in Daito, click “Idp Metadata XML File”.

In the modal, upload the Google Metadata file and save. Make sure to click "Create SAML SSO Configuration" to save your setup.

Daito Google SSO SamlEnable your Google Workspace SAML configuration

Your SAML configuration(s) will be disabled by default and need to be explicitly enabled. Make sure to do this after finishing the configuration.

Daito SSO Saml SettingsLogin to Daito via SAML SSO

With SAML SSO configured and enabled, perform the first login via SAML SSO. There are two options for this:

Go to https://app.daito.io/login and click on "Login with SSO", or

Go to https://<yourteamslug>.daito.io/sso and login

Then choose your account, login via your identity provider and you are in.