UniFi Identity Enterprise - Add Google Workspace as an SSO App
When Google Workspace is added to Identity Enterprise as a single sign-on (SSO) app, admins can manage user access to Google Workspace in Identity Enterprise Manager, and users can access Google Workspace with their UniFi Identity Enterprise credentials.
Get Sign-On URL and Public Certificate from Identity Enterprise Manager
- Go to your Identity Enterprise Manager > SSO Apps.
- Click the Add icon on the upper right corner and select Google Workspace.
- Click Add. Copy the sign-on URL and download Public Certificate. You’ll need them when configuring SSO in Google Workspace.
Configure SSO in Google Workspace
- Sign in to your Google Admin Console.
- Select Security > Authentication > SSO with third-party IdP.
- Click Edit SSO profile for your organization.
- Check the Set up SSO with third-party identity provider box.
- Fill in the following information:
- Sign-in page URL: Paste the Sign-On URL copied from Identity Enterprise Manager.
- Sign-out page URL: Paste the Sign-On URL copied from Identity Enterprise Manager.
- Upload certificate: Browse and select the Public Certificate downloaded from Identity Enterprise Manager.
- (Optional) Tick the Use a domain-specific issuer checkbox as needed.
- When ticked, Google sends an issuer-specific to your domain: google.com/a/example.com (where example.com is your primary Google Workspace domain name).
- When unticked, Google sends the standard issuer in the SAML request: google.com.
- (Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Identity Enterprise site. Learn more about Google’s network masks.
- (Optional) Change password URL: Enter https://{your_workspace_domain}.ui.com. Note: If you enter a change password URL, users will be directed to that page even if SSO is not enabled for your organization.
- Click Save.
Configure SSO App Settings in Identity Enterprise Manager
- Go to your Identity Enterprise Manager > SSO Apps.
- Fill in the following information for the app selected:
- App name: Name this app.
-
Your Google Apps company domain: Enter your Google App’s domain. For example, if your Google app’s sign-in URL is
https://www.google.com/a/acme.com/...
, then enter:acme.com
. - Display the following links: Select the Google apps that you want to display in the user’s Identity Enterprise Workspace or mobile/desktop apps.
- (Optional) Default Relay State: The SAML default relay state is the destination to which the user will be redirected after they have completed the authentication process at the IdP.
-
Your Google Apps SP ACS URL: Enter your Google App’s domain. For example, if your Google app’s sign-in URL is
https://www.google.com/a/acme.com/...
, then enter:acme.com
.