Skip to main content

Tutorial: How to Configure SAML with Google Workspace for VPN Authentication

Abstract

Step-by-step guide for configuring SAML on Google Workspace VPN Access Server.

Overview

Access Server supports authentication using SAML with Google Workspace as the identity provider. You can configure this in Google Workspace with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users from Google Workspace to Access Server.

Prerequisites

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

Step 1: Create the Google Workspace SAML application

With Google Workspace, you must create a SAML integration application.

Now that you have your SP information, you can create a new Google Workspace app and enter that information during app creation:

  1. Sign in to your Google Workspace Admin Console.

  2. From the hamburger menu, click Apps > Web and mobile apps.

  3. Click Add app > Add custom SAML app.

  4. Enter the app’s name, description, and icon, then click Continue.

  5. Click DOWNLOAD METADATA under Option 1: Download IdP metadata.

  6. Save the XML file to use in step 2 below and click Continue.

  7. Use the SP information from Access Server to enter the following into the Google app:

    • ACS URL: Enter the Access Server SP ACS.

    • Entity ID: Enter the Access Server SP Identity.

    • Start URL: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (See "How to set up IdP-initiated flow" below for more details.)

    • Click Continue.

  8. Configure attribute mapping (such as “Primary email” = “email”) on the next screen and click Finish.

Step 2: Upload metadata XML file to Access Server

The simplest way to set up Google Workspace SAML for Access Server is to provide the metadata to Access Server. You can do this with the downloaded metadata XML file from when you created your app.

Provide the file to your Access Server through the Admin Web UI:

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. Click Click to upload to select your XML file or drag and drop it into the modal window.

    • The Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Step 3: Assign SAML as user authentication

You can now enable SAML as the global default authentication or for specific groups and users.Tutorial: SAML user groups

Optional: How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from Google Workspace with the following steps:

  1. Sign in to the Google Workspace admin console.

  2. Click Apps > Web and mobile apps, and click on your custom SAML app.

  3. Click the arrow to expand Service provider details.

  4. Add one of the following to Start URL:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  5. Click Save.

    • Users find the app available in their Google apps.

Optional: Map SAML group access control

You can automate group assignments for access control rules using a post-authentication Python script.

Refer to the steps in this tutorial:

In this section: