Configure Google Workspace as a Third-Party IdP with SOTI Identity

Before you begin

Set up and verify a domain to use with this Google Workspace IdP connection. Read more at Add Domains.

About this task

If you already have a set of users with Google Workspace, you can configure SOTI Identity to delegate authentication and authorization to Google Workspace rather than recreate an existing set of users and structures.

Note: This procedure includes steps to perform in an external tool and is subject to change without notice.

Procedure

Download SOTI Identity metadata
  1. In the SOTI Identity Admin Console, open the main menu and select Directories/IDP.
  2. Select New Directory > IdP Connection to open the Create Connection dialog box.
  3. Select SAML Based IdP.
  4. Select Downloads in the upper right corner of the Configure IdP dialog box and download the Identity Metadata and Identity Certificate to your computer.
Configure Google Workspace as an IdP for SOTI Identity
  1. Open another browser tab and log into the Google Workspace Admin Console as an administrator.
  2. Create a custom attribute.
    Google Workspace does not automatically provide membership information in the SAML response. To add membership information to the SAML response, you need to create a custom attribute.
    1. In the Google Workspace Admin Console, open the main menu and choose Directory > Users.
    2. From the top menu, choose More > Manage custom attributes
    3. Select Add custom attribute
    4. Enter a category and, optionally, a description, for the custom attribute.
    5. Fill in the custom fields accordingly.
      Note: You cannot change these settings once you've saved your custom attribute.
      Name Info type Visibility Number of values
      UserGroups Text Visible to user and admin Multi-value
    6. Click Add to save the custom attribute.
  3. Optional: Assign values to the custom attribute.
    1. Still in the Google Workspace Admin Console, open the main menu and choose Directory > Users.
    2. Open the user details for a user and expand the User Information panel.
      Note: You cannot simultaneously update the custom attributes for multiple users.
    3. Scroll down until you see the custom attribute that you created in step 6 and select Edit
    4. Update the value for the custom attribute.
    5. Click Save.
  4. Still in the Google Workspace Admin Console, in the main menu, select Apps > SAML Apps.
  5. Click the Add button in the bottom right and click Set up my own custom app.
  6. On the Google IdP Information screen, choose the option to download the IdP metadata. Click Next.
  7. Enter a name and description for the app. You can also upload a logo. Click Next.
  8. Fill in the Service Provider Details. You can find this information in the SOTI Identity metadata file you downloaded previously.
    ACS URL Enter the value of the AssertionConsumerService Location attribute from the SOTI Identity metadata file.
    Entity ID Enter the value of the EntityDescriptor entityID attribute from the SOTI Identity metadata file.
    Signed Response Select the Signed Response check box. This setting ensures that entire response is signed, not just the assertion.
  9. Set up attribute mappings for your IdP users and groups. Click Add new mapping and recreate the table below.
    FirstName Basic Information First Name
    LastName Basic Information Last Name
    Email Basic Information Primary Email
    Groups
    Note: This is a custom attribute. Only set up this mapping if you created a custom attribute for group membership information.
    User member info UserGroups
  10. Click Finish then OK.
Import Google Workspace metadata into SOTI Identity
  1. Return to the SOTI Identity console and the Configure IdP dialog box.
  2. Give the Google Workspace connection a name.
  3. Beside IdP Metadata file click Import and browse to the SAML metadata file you downloaded from Google Workspace previously.
    The file will populate the IdP Entity ID, SSO URL, and Certificates fields.
  4. Click Create to save the new Google Workspace IdP connection.
Add Google Workspace User Groups to SOTI Identity
Note: You can only add user groups and not individual users in SAML Based IdP connections.
  1. In the SOTI Identity Admin Console, open the main menu and select Users.
  2. Select New User Group in the upper right corner of the console.
  3. In the Add IDP User Groupwindow, select External IDP Group.
  4. Type a name for the new IDP group.
  5. Optional: Make all users in the group SOTI Identity account administrators. Leave unselected if the users only need access to other SOTI ONE applications.
    Note: Account administrators can manage and modify all settings in your SOTI Identity console and account so you should be careful who you make an account administrator.
  6. Select Add to add the IdP group to SOTI Identity.

Results

You've connected your Google Workspace connection to SOTI Identity. Users in the groups you just added will receive an email that notifies them that they've been enrolled in SOTI Identity. However, they won't have access to any applications until you assign one.

What to do next

Assign applications to Google Workspace user groups.