How to configure SAML with Google Workspace

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with Google Workspace as the identity provider. You can configure this in Google Workspace with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from Google Workspace to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the Google Workspace SAML application

With Google Workspace, you must create a SAML integration application.

First, gather information about your Access Server as the service provider (SP).

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    • SP Identity.
    • SP ACS.

Now that you have your SP information, you can create a new Google Workspace app and enter that information during app creation:

  1. Sign in to your Google Workspace Admin Console.
  2. From the hamburger menu, click Apps > Web and mobile apps.
  3. Click Add app > Add custom SAML app.
  4. Enter the app’s name, description, and an icon, then click Continue.
  5. Click DOWNLOAD METADATA under Option 1: Download IdP metadata.
  6. Save the XML file to use in step 2 below and click Continue.
  7. Use the SP information from Access Server to enter the following into the Google app:
    • ACS URL: Enter the Access Server SP ACS.
    • Entity ID: Enter the Access Server SP Identity.
    • Start URL: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (Refer to “How to set up IdP-initiated flow” below for more details.)
    • Click Continue.
  8. Configure attribute mapping (such as “Primary email” = “email”) on the next screen and click Finish.

Step 2: Upload metadata XML file to Access Server

The simplest way to set up Google Workspace SAML for Access Server is by providing metadata to Access Server. You can do this with the downloaded metadata XML file from creating your app.

Provide the file to your Access Server through the Admin Web UI:

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. Click Choose File for Select IdP Metadata File.
  5. Select your Google IdP metadata XML file, click Upload, and then Update Running Server.
  6. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

Step 3: Turn on the SAML service for users

You need to grant access to your SAML app from the Google Workspace admin console:

  1. Sign in to the Google Workspace admin console.
  2. Click Apps > Web and mobile apps.
  3. Click your SAML app.
  4. Click User access.
  5. Select ON for everyone and click Save.

Finally, enable SAML as your authentication in Access Server:

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to Yes to Enable SAML authentication.

You can now assign SAML as the authentication method to specific users and groups or as the default authentication method.

How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from Google Workspace with the following steps:

  1. Sign in to the Google Workspace admin console.
  2. Click Apps > Web and mobile apps, and click on your custom SAML app.
  3. Click the arrow to expand Service provider details.
  4. Add one of the following to Start URL:
    • cws: This directs your users to the Client Web UI after sign-in.
    • profile: This directs your users to a profile download after sign-in.
  5. Click Save.
  6. Users find the app available in their Google apps.

How to manually configure SAML for Google Workspace

If you prefer, you can manually enter the Google Workspace SAML data to configure Access Server by following these steps.

Step 1: Create the Google Workspace custom SAML app.

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    • SP Identity.
    • SP ACS.
  4. Sign in to your Google Workspace Admin Console.
  5. From the hamburger menu, click Apps > Web and mobile apps.
  6. Click Add app > Add custom SAML app.
  7. Enter the app’s name, description, and an icon, then click Continue.
  8. Save the SSO URL, Entity ID, and Certificate information under Option 2: Copy the SSO URL, entity ID, and certificate.
  9. Click Continue.
  10. Use the SP information from Access Server to enter the following into the Google app:
    • ACS URL: Enter the Access Server SP ACS.
    • Entity ID: Enter the Access Server SP Identity.
    • Start URL: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (Refer to “How to set up IdP-initiated flow” below for more details.)
    • Click Continue.
  11. Configure attribute mapping (such as “Primary email” = “email”) on the next screen and click Finish.

Step 2: Manually enter the IdP data into Access Server’s SAML page.

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Manually to expand the section.
  4. Enter the following from the Google Workspace SAML app:
    • IdP EntityID: Paste the Google Workspace SAML app entity ID.
    • Sign-on Endpoint: Paste the Google Workspace SAML app SSO URL.
    • Certificate (PEM format): Paste the Google Workspace SAML app certificate.
  5. Click Save Settings and Update Running Server.