Skip to main content

Tutorial: How to Configure SAML with Google Workspace for VPN Authentication

Abstract

Step-by-step guide for configuring SAML on Google Workspace VPN Access Server.

Overview

Access Server 2.11 and newer supports authentication using SAML with Google Workspace as the identity provider. You can configure this in Google Workspace with Access Server as your service provider.

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

With Google Workspace, you must create a SAML integration application.

Now that you have your SP information, you can create a new Google Workspace app and enter that information during app creation:

  1. Sign in to your Google Workspace Admin Console.

  2. From the hamburger menu, click Apps > Web and mobile apps.

  3. Click Add app > Add custom SAML app.

  4. Enter the app’s name, description, and icon, then click Continue.

  5. Click DOWNLOAD METADATA under Option 1: Download IdP metadata.

  6. Save the XML file to use in step 2 below and click Continue.

  7. Use the SP information from Access Server to enter the following into the Google app:

    • ACS URL: Enter the Access Server SP ACS.

    • Entity ID: Enter the Access Server SP Identity.

    • Start URL: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (See "How to set up IdP-initiated flow" below for more details.)

    • Click Continue.

  8. Configure attribute mapping (such as “Primary email” = “email”) on the next screen and click Finish.

The simplest way to set up Google Workspace SAML for Access Server is by providing metadata to Access Server. You can do this with the downloaded metadata XML file from creating your app.

Provide the file to your Access Server through the Admin Web UI:

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the

    section.

  4. Click Choose File for Select IdP Metadata File.

  5. Select your Google IdP metadata XML file, click Upload, and click Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

You need to grant access to your SAML app from the Google Workspace admin console:

  1. Sign in to the Google Workspace admin console.

  2. Click Apps > Web and mobile apps.

  3. Click your SAML app.

  4. Click User access.

  5. Select ON for everyone and click Save.

You can configure an IdP-initiated flow for signing into Access Server from Google Workspace with the following steps:

  1. Sign in to the Google Workspace admin console.

  2. Click Apps > Web and mobile apps, and click on your custom SAML app.

  3. Click the arrow to expand Service provider details.

  4. Add one of the following to Start URL:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  5. Click Save.

    • Users find the app available in their Google apps.

If you prefer, you can manually enter the Google Workspace SAML data to configure Access Server by following these steps.

Step 1: Create the Google Workspace custom SAML app.

Now that you have your SP information, you can create a new Google Workspace app and enter that information during app creation

  1. Sign in to your Google Workspace Admin Console.

  2. From the hamburger menu, click Apps > Web and mobile apps.

  3. Click Add app > Add custom SAML app.

  4. Enter the app’s name, description, and icon, then click Continue.

  5. Save the SSO URLEntity ID, and Certificate information under Option 2: Copy the SSO URL, entity ID, and certificate.

  6. Click Continue.

  7. Use the SP information from Access Server to enter the following into the Google app:

    1. ACS URL: Enter the Access Server SP ACS.

    2. Entity ID: Enter the Access Server SP Identity.

    3. Start URL: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (See “How to set up IdP-initiated flow” for more details.)

    4. Click Continue.

  8. Configure attribute mapping (such as “Primary email” = “email”) on the next screen and click Finish.

Step 2: Manually enter the IdP data into Access Server’s SAML page.

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Manually to expand the section.

  4. Enter the following from the Google Workspace SAML app:

    1. IdP EntityID: Paste the Google Workspace SAML app entity ID.

    2. Sign-on Endpoint: Paste the Google Workspace SAML app SSO URL.

    3. Certificate (PEM format): Paste the Google Workspace SAML app certificate.