Authentication in Google Workspace via SAML 2.0
-
Google Workspace account: A Google Workspace Admin account is required.
-
Access the Admin Console: Log in to the Google Admin Console with your account. There you will be able to manage the settings of Google services.
-
Add users: In Directory > Users, you will be able to add users or manage existing ones. In this step, it is important to ensure that the Google Workspace user has some attribute (it is also possible to create a custom attribute) that is compatible with the user's corresponding Login in SoftExpert Suite, so that they can be linked.
-
Create SAML application: In Apps > Web and mobile apps, you can create a new custom SAML app for your SoftExpert Suite. Define the following settings:
- ACS URL:
https://YOUR_DOMAIN/softexpert/saml
- Entity ID:
https://YOUR_DOMAIN/softexpert/selogin
- Name ID: This is the attribute that will be used for the Login field in
SoftExpert Suite. For example:
- If you want to use the first Google Workspace name as Login, select the "Unspecified" format and the "Basic Information > First name" attribute.
- If you want to use the Google Workspace e-mail as Login, select the "Unspecified" format and the "Basic Information > Primary Email" attribute.
- ACS URL:
-
Activate for all users: After the app is created, you will need to activate it for all users. You can do this in the "User access" section within the settings of your SAML application.
-
Download Google metadata: In Apps > Web and mobile apps > YourAppName, click on "Download metadata".
-
Set up SoftExpert Suite for single sign-on: In SoftExpert Suite, access the authentication configurations (CM008) and check SAML 2.0 in Authentication options. Then, in Authentication services > SAML 2.0, add a new record:
- In "Upload Identity Provider configurations", upload the "GoogleIDPMetadata.xml" file downloaded from Google.
- In “Credential ID #”, enter "Login" or "E-mail" (or another custom attribute, as chosen in Google Workspace).).
- Insert an expiration date (years) and click on "Renew certificate".
- Enter an ID # and click on "Apply".
- Still on screen CM008, go to the Directory integration > General options menu and check "Enable integrated authentication for users that are not synchronized.".
Save the authentication configurations and log in to the system through single sign-on.
⚠️ Attention:
- Before bulk import of Google Workspace users, we recommend importing a user to test authentication with the chosen custom attribute.
- If there are problems with the initial configuration, check whether the ACS URL and the entity ID are correct.
- Changes in the Admin Console can take up to 24 hours to take effect in Google Workspace.