Configuring Google Workspace

This section describes how to configure Google Workspace as a SAML (2.0) identity provider for Cloud App Security to use.

Before you begin configuring Google Workspace, make sure that:

  • You have a valid subscription with Google Workspace that handles the sign-in process and eventually provides the authentication credentials to the Cloud App Security management console.

  • You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.

Important:

The steps contained in these instructions were valid as of February 2023.

  1. Sign in to the Google Workspace Admin console with a Google Super Admin account.
  2. Create a SAML app for Cloud App Security.
    1. From the left navigation, go to Apps > Web and mobile apps.
    2. Click Add app > Add custom SAML app.
    3. On the App details screen, type an app name for Cloud App Security in App name, for example, Cloud App Security, and click CONTINUE.
    4. On the Google Identity Provider details screen, copy the value of idpid in the SSO URL, Entity ID, and Certificate under Option 2 to any text editor for later use, and click CONTINUE.

      For the idpid, for example, if the SSO URL is https://accounts.google.com/o/saml2/idp?idpid=C0385vj7y, the idpid is C0385vj7y.

      Note:

      The idpid is used for assembling the service URL later, while the Entity ID and Certificate are used when you configure single sign-on in the Cloud App Security management console.

    5. On the Service provider details screen, specify the following settings and click CONTINUE.

      Settings

      Description

      ACS URL

      The Assertion Consumer Service URL that Cloud App Security uses to receive the SAML response.

      Type the ACS URL {Cloud App Security_admin_site}/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console is "https://admin-eu.tmcas.trendmicro.com", the ACS URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.

      Entity ID

      The globally unique name that identifies Cloud App Security.

      Type the Cloud App Security logon URL of your serving site. For example, if the URL of your Cloud App Security management console is "https://admin-eu.tmcas.trendmicro.com", the entity ID is https://admin-eu.tmcas.trendmicro.com.

      Name ID

      • Name ID format: Select EMAIL.

      • Name ID: Select Basic Information > Primary email.
    6. On the Attribute Mapping screen, retain the default values and click FINISH.
  3. Enable the SAML app for all users.
    1. Go to Menu > Apps > Web and mobile apps, and click the SAML app you created.
    2. Copy the service provider ID for the SAML app in the address bar of your browser to any text editor.

      For example, if the URL in the address bar is https://admin.google.com/ac/apps/saml/123456789, the service provider ID is 123456789.

      Note:

      The service provider ID is used for assembling the service URL later.

    3. In the SAML app settings screen, click the User access section.
    4. In the Service status section, select ON for everyone and click SAVE.
  4. Assemble the service URL based on the format "https://accounts.google.com/o/saml2/initsso?idpid=example1&spid=example2&forceauthn=false".

    Replace the following variables in the URL:

    • example1: Replace it with the idpid recorded in step 2.d.

    • example2: Replace it with the service provider ID recorded in step 3.b.

    Note:

    The service URL is used when you configure single sign-on in the Cloud App Security management console.

  5. Complete Configuring Single Sign-On in the Cloud App Security management console.
  6. Verify that the SSO configuration works properly.
    1. In the Google Workspace Admin console, go to Menu > Apps > Web and mobile apps, and click the SAML app you created.
    2. Click TEST SAML LOGIN in the left area.

      You are directed to the Cloud App Security management console.

Parent topic: Single Sign-On