Implementing SAML with Google Workspace

  • Updated

INTRODUCTION

One of the SAML identity providers (IdP) that you can use is Google Workspace (https://admin.google.com/).

In order to get started with setup of SSO with Google Workspace, you will need:

  • Administration abilities within Google Workspace.
  • Admin or super-admin user role within HUDU.
  • Your own domain registered and verified with Google Workspace.
  • All users provisioned in Google Workspace with the same exact email address as listed in Hudu. We don't create new user accounts from SSO.
  • Ensure that the users have already been created in Hudu before starting this process.

GUIDES

HOW TO ENABLE SSO

  1. Login to Hudu and click the Admin tab on the top toolbar. 
  2. Click General.
  3. Click Configure Single Sign-On.
  4. Enter SAML details. See relevant section below on how to fill this information out.
  5. Click "Enable Single Sign-On".
  6. Hit "Update SAML Details" and SAML should now be activated.

 

Configuring Google Workspace

  • In Google Workspace:
    • Navigate to Apps >> Web and mobile apps >> 'Add App' >> Add custom SAML appAdmin_console_-_Web_and_mobile_apps.png
  • Provide app details:
    • App name (required)
    • App description (optional)
    • App icon (optional)Admin_console_-_Web_and_mobile_apps.png
  • Click continue.
    • This will open up a page with two options with your Google Identity provider details; copy the Option 2 SSO URL, Entity ID, and Certificate - we'll need these later (you can also access these later). Admin_console_-_Web_and_mobile_apps.png
  • Click continue.
  • Service provider details:
  • Define Name ID format:
    • Name ID format: EMAIL
    • Name ID: Basic Information > Primary EmailAdmin_console_-_Web_and_mobile_apps.png
  • Click continue.
    • Attribute mapping can be skipped.
  • Click finish.
  • Lastly, you'll need to enable access for users via the Users Access dropdown. This must be ON for all users that will be utilizing SSO.Service_Status_-_Admin_Console.png

Configuring HUDU:

  1. In Hudu, with a user-role of Admin or Super Admin:
    • Navigate to Admin >> General >> SAML/SSO Configure.
  2. Provide Identity Provider (IdP) information:
    • This is the information that we copied earlier, from Option 2. To access these again:
      • Navigate back to Google Workspace >> Apps >> Web and mobile apps
      • Click into the app you've just created >> Service provider details dropdown arrow.
      • Click Manage Certificates
    • SAML Issuer URL:This is what Google Workspace calls their "Entity ID." Copy this exactly into Hudu.
    • SAML Login URL: This is what Google Workspace calls their "SSO URL." Copy this exactly into Hudu.
    • SAML Logout URL: This should be identical to your SAML Login URL, paste the SSO URL here as well.
    • SAML Fingerprint:
      • Copy the SHA-256 fingerprint provided by Google Workspace.
      • Alternatively, follow the steps below to calculate the SHA-1 fingerprint.
    • SAML Certificate: This is provided by Google Workspace, and should be the same certificate used to configure the fingerprint; copy this exactly.
      • -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.Enable_Single_Sign-On_-_HUDU.png
    • SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to login (i.e. via password, passwordless, etc.).
      • If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
        • Requested Authentication Context may be required for your IdP; but it is typically optional.
        • If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
      • If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
      • If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
  3. Click "Enable Single Sign-On".
  4. Hit "Update SAML Details" and SAML should now be activated.

 

TESTING SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully login via this button, your SAML is working!

You can also click 'Test SAML' from within your Hudu SAML app in Google Workspace.

 

DISABLE PASSWORD ACCESS FOR NON-ADMINS

You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking "Disable Password Access for non-Admins"; all users below admin will have to exclusively use single sign on to access your Hudu environment. 

Admins will be able to access via an admin sign in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.

Still have questions?

Contact us