Google Workspace

Print Friendly, PDF & Email

The purpose of this document is to provide instructions on how to configure and manage Google Workspace to enable SAML integration.

  1. Adding a domain to Google Workspace
  2. Adding the SaaS application to Seqrite ZTNA
  3. Configuring domain federation for Google Workspace
  4. Removing an assignment from the SSO profile assignment list
  5. Selective Single Sign-On (SSO) Access to Specific Users Only

1. Adding a Domain to Google Workspace

To add the domain in Google Workspace, refer the following document.
Add a user alias domain or secondary domain – Google Workspace Admin Help

2. Adding the SaaS Application to Seqrite ZTNA

To add the SaaS application, follow these steps:

  1. Log into Seqrite ZTNA admin console.
  2. Navigate to the Applications section.
  3. Navigate to the SaaS Applications tab and click.
  4. To add Google Workspace application click Browse SaaS Application Catalog.
  5. Click Add + of Google Workspace application card.
  6. Enter the Application Name. Provide the Application Description and Logo, if any.
  7. Select the following checkboxes as appropriate to control access from managed laptops, desktops, or mobile devices.
    • Allow access from registered Seqrite ZTNA-compliant devices:
      Only users with registered Seqrite ZTNA-compliant devices (on which the Sqrite ZTNA agent is installed and active), including desktops and laptops, can access the applications.
    • Allow access from Seqrite Workspace:
      Mobile users are able to access applications only through the Workspace. To know more about accessing SaaS application through Seqrite Workspace, see Seqrite EMM Documentation.
      Note: iOS is not supported, iOS users can access applications outside the Workspace also.
  8. Click Add to add the application.
    Add Application
  9. Note

    • Utilizing Google Workspace as an identity provider prevents its utilization as a SaaS application.
    • In case of custom SSL certificate, add CNAME record of Site DNS and shpsso.yourdomain.com in your domain’s DNS records.

3. Configuring Domain Federation for Google Workspace

To configure domain federation for Google Workspace, follow these steps:

  1. After adding the application, click the Manage option from the popup menu to check the SAML settings.
    Add Application
    Add Application
  2. Log into Google Admin Console and navigate to Security → Authentication → SSO with third-party-IdP.
  3. In the Seqrite ZTNA Admin Console, copy the Login URL and Logout URL from the SAML settings and paste them into the Google Admin Console.
  4. Copy the certificate from the Seqrite ZTNA Admin Console and upload it to the Google Admin Console.
  5. Click Save.
  6. Google Admin Console

4. Selective Single Sign-On (SSO) Access Only for Specific Users

To implement selective Single Sign-On (SSO) access exclusively for designated users, navigate to your Google Workspace Admin Page and set up SSO profile assignments using the following steps:

  1. Log in to your Google Workspace Admin Page.
  2. Go to Security > Authentication > SSO with third-party IDP.
  3. Click Manage under SSO Profile Assignments.
  4. SSO to specific users

  5. On the left side, select the organizational unit or group you want to assign the SSO profile to.
  6. Choose the desired SSO profile assignment for the selected OU or group.
  7. SSO Step

  8. To exclude the OU or group from SSO, select None. This means users in the OU or group will sign in directly with Google.
  9. To assign another Identity Provider (IdP) to the OU or group, choose "Another SSO profile," then select the desired SSO profile from the dropdown list.
  10. Click Save to apply the changes.
  11. After closing the Manage SSO Profile Assignments card, you will see the updated assignments for OUs and groups in the Manage SSO Profile Assignments section.

5. Removing an Assignment from the SSO Profile Assignment List

To remove an assignment from the SSO profile assignment list follow these steps:

  1. Click the name of the group or organizational unit to open its profile assignment settings.
  2. Replace the existing assignment setting with the parent organization unit setting:
    • For organizational unit assignments, click Inherit.
    • For group assignments, click Unset.
    • For root-OU assignments, set the assignment to None (or Organization's third-party SSO profile) if you want to use the third-party SSO profile for your organization.
Was this page helpful?