Google Workspace
What is Google Workspace
From https://en.wikipedia.org/wiki/Google_Workspace
Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
Preparation
The following placeholders will be used:
authentik.company
is the FQDN of the authentik install.example.com
is the default E-mail address configured in Google workspace.
authentik Configuration
Create an application in authentik and note the slug, as this will be used later. Set the Launch URL to https://mail.google.com/a/example.com
.
Create a SAML provider with the following parameters:
- ACS URL:
https://www.google.com/a/example.com/acs
- Issuer:
google.com/a/example.com
- Binding:
Post
- Audience:
google.com/a/example.com
Under Advanced protocol settings, set the option NameID Property Mapping to the default E-mail property mapping called authentik default SAML Mapping: Email. Also make sure a Signing Certificate is selected in the same section.
Copy the values of SSO URL (Redirect) and SLO URL (Redirect) fields from the provider page.
Click the Download button next to the Download signing certificate label.
Google Workspace Configuration
Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account.
Navigate to Security -> Authentication -> SSO with third-party IdP.
Open the Third-party SSO profile for your organization section.
Check the checkbox Set up SSO with third-party identity provider.
Set the value of Sign-in page URL to the copied SSO URL (Redirect) from above.
Set the value of Sign-out page URL to the copied SLO URL (Redirect) from above.
For Verification certificate, upload the certificate that you downloaded previously.
Ensure the option Use a domain specific issuer is enabled.
Notes
Google will not use these SSO settings with super-admins, although they will apply for any other user account. User accounts must already exist in Google workspace when attempting to login with authentik; Google will not create them automatically.
To verify that the configuration is correct for a super-admin account, navigate to https://mail.google.com/a/example.com
, which redirects to the configured authentik instance.