• Home
• Login with External Identity Provider
• Google Workspace Single Sign-On (SSO)

Configure Google Workspace as a SAML, OAuth and Social login IDP for SSO

---

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure Google Workspace as an IDP for Single Sign-On (SSO) into your applications/websites. Here, Google Workspace will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with Google Workspace, making it easier and quick to implement. Our team can also help you set up Google Workspace as SAML or OIDC IDP to login into your applications.

Follow the Step-by-Step Guide given below for Google Workspace Single Sign-On (SSO)

1. Configure miniOrange as SP in Google Workspace

Mentioned below are steps to configure Google Workspace as IDP via SAML and OAuth configuration. Follow the steps accordingly based on your requirement (SAML, OAuth and Social login).

• SAML
• OAuth
• Social Login

• Go to miniOrange Admin console.
• From the left navigation bar, select Identity Providers >> click Add Identity Provider.



• To configure SAML, select SAML from the All Apps dropdown.



• Select Google Workspace.



• Now click on the Click here link to get miniOrange metadata as shown in Screen below.



• For SP -INITIATED SSO section Select Show Metadata Details.



• Click on Download Metadata.



• Go to https://admin.google.com and login with your G Suite administrator account.
• Navigate to the Apps tab in the left menu and click on Web and mobile apps.



• Click on the Add App button, then in the dropdown select Add Custom SAML app tab to create a new saml app.



• Enter details for your custom SAML app and click on Continue button.



• Click on Download Metadata button. This will be used for configuring your Service Provider in miniOrange (Step 1.).
• You can also copy G Suite details like SSO URL, entity ID and Certificate to configure the Service Provider manually and then click on Continue button.



• Click on Continue button.



• Click on Add Mapping button.



• Add and select user fields in Google Directory, then map them to Service Provider attributes and Click on Finish button.



• Select ON for everyone to activate SSO.

Follow the steps to configure Google Workspace as IdP by OAuth configuration.

• Go to miniOrange Admin Console.
• From the left navigation bar select Identity Provider >> Add Identity Provider .



• Under Choose Application, select OAuth/OpenID from the All Apps dropdown.



• Select Google.



• Keep the OAuth Callback URL, which we will use to configure Google Workspace as the OAuth Server/Provider.



• Go to https://console.developers.google.com/ and sign up/login.
• Click on Select Project to create a new Google Apps Project,you will see a popup with the list of all your projects.



• You can click on the New project button to create new project.



• Enter your Project name under the Project Name field and click on Create.



• Go to Navigation Menu >> APIs >> Services >> Credentials.



• Click on Create Credentials button and then select OAuth Client ID from the options provided.



• In case you are facing some warning saying that in order to create an OAuth Client ID, you must set a product name on consent screen (as shown in below image). Click on the Configure consent screen button.



• Enter the required details such as App Name, User Support Email. and click on Save and Continue button.





• Now for configuring scopes, click on Add or Remove the Scopes button.



• Now, Select the Scopes to allow your project to access specific types of private user data from their Google Account and click on Save and Continue button.



• Go to the Credentials tab and click on Create Credentials button. Select Web Application from dropdown list to create new application.



• Enter the name you want for your Client ID under the name field and enter the Redirect/Callback URL that we saved in the Step 1 and click on the Create button.



• You will see a popup with the Client ID and Client Secret Copy your Client ID and Client Secret.



• You have successfully completed your Google App OAuth Server side configurations.

• Go to miniOrange Admin console.
• From the left navigation bar, select Identity Providers >> click Add Identity Provider.



• Click on Add Social Connection.



• Select the tiles of Social Connections that you want to enable and click on Enable Connection button. Please note that your development keys will be used when.



• You will be redirected to the External Identity Providers page listing the enabled social connections.



• You can check on the login form that the social login connections will be added.



• You can also customize the appearance of the social connections. Go to Identity Providers from the left nav and click on the Customize Social Login Icons button.



• You will see the various options to customize the dimensions, background, hover effects, etc of the social login icons.



• You can also add the custom css.



• Click on Save to see the changes on the login page.
• You can also enable/disable the social connection to be shown on the login form from the External Identity Providers page.



• If you want to add your development keys to social login, you can add your keys by editing the Social connection from the Identity Providers page.



• Keep the OAuth Callback URL, which we will use to configure Google as the OAuth Server/Provider.



• Refer to the OAuth guide step 1 to set up the OAuth app on Google Workspace

2. Configure Google Workspace as an Identity Provider in miniOrange

• SAML
• OAuth

• Return to the miniOrange Admin Console (you should have kept it open from Step 1).
• Click on Import IDP metadata.



• Choose an appropriate IDP name. Enter the URL which you have saved in the previous step from Google Workspace.
• Click on Import.



• As shown in the below screen the IDP Entity ID, SAML SSO Login URL and x.509 Certificate will be filled from the Metadata file we just imported.




IDP Entity ID	Entity ID of IDP
SAML SSO Login URL	Login Url from IDP
Single Logout URL	Logout Url from IDP
X.509 Certificate	The public key certificate of your IDP.

• Few other optional features that can be configured to the Identity Provider(IDP) are listed in the table below:




Domain Mapping	Can be used to redirect specific domain user to specific IDP
Show IdP to Users	Enable this if you want to show this IDP to all users during Login

• Click on Save.

Note: Follow the steps below to configure OAuth for Social Login as well.



• Return to the miniOrange Admin Console (you should have kept it open from Step 1 in OAuth tab).
• Enter the following values.

  Display Name	Choose appropriate Name
  OAuth Callback URL	URL where the IDP redirects users after successful authentication.
  Client ID	From step 1 (in OAuth section)
  Client secret	From step 1 (in OAuth section)
  Scope	email public_profile




• Click on Next for Advanced tab.
• Grant Type: Select the OAuth grant type used to obtain the access token.
• Domain Mapping: Specify the domain linked to this Identity Provider for login.



• Click on Save.

3. Test Connection

• Visit your Login Page URL.
• Go to Identity Providers tab.
• Search for your app, click the three dots in the Actions menu, and select Test Connection against the Identity Provider (IDP) you configured.



• On entering valid Google Workspace credentials (credentials of user assigned to app created in Google Workspace), you will see a pop-up window which is shown in the below screen.



• Hence your configuration of Google Workspace as IDP in miniOrange is successfully completed.

Note:

You can follow this guide, if you want to configure SAML/WS-FED, OAuth/OIDC, JWT, Radius etc

Configure Attribute Mapping

Note: The customer configure attribute mapping for social login only when he/she has used his/her client credentials.

• Go to Identity Providers.
• Click the three dots in the Actions menu, and select Attribute Mapping against the Identity Provider (IDP) you configured.

• Attribute Type - USER
• Attribute Type - EXTERNAL

Maps information, such as email and username, during Just-In-Time (JIT) user creation. Email and Username attributes are necessary to create the user profile.

• Click on the + Add Attribute button to add the attribute fields.



• Check the attributes in the Test Connection window from the previous step. Choose any attribute names you want to send to your application under Attribute Name sent to SP.
• Enter the values of the attributes coming from IdP into the Attribute Name from IdP field on the Xecurify side.

EXTERNAL mappings help alter incoming attribute names before sending them to apps, ensuring that the data is in the correct format.

• Click on the + Add Attribute button to add the attribute fields.



• Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
• Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

Configure Multiple IDPs:

You can follow this guide, if you want to configure multiple IDPs (Identity Providers) and give users the option to select the IDP of their choice to authenticate with.

External References

• Read more about miniOrange Identity Brokering Solution
• Know More about Single Sign On (SSO)
• Know More about OAuth / OpenID Connect Server
• Google apps Single Sign On
• SP-Initiated v/s IdP-Initiated SSO