Skip to main content
Skip table of contents

SAML Configuration for Google Admin

Overview

This guide offers detailed instructions for configuring a custom SAML application within the Google Admin dashboard. It outlines the steps to set up your SAML application, create Google Workspace user accounts, add these accounts to a group, enable the group to use your SAML application, verify SSO functionality, and address common troubleshooting issues.

Procedure

Setting Up Your Custom SAML Application

  1. Login to your to https://admin.google.com, and ensure that your account has administrator rights.

  2. Navigate to Apps > Web and mobile apps.

    Frame 1-20240619-165453.png

  3. Click the Add App dropdown menu, then click the Add custom SAML app dropdown option.

    Frame 4-20240619-170631.png

  4. Input a name for your custom SAML application, then click on the CONTINUE button.

    Frame 3-20240619-170520.png

  5. Click on the DOWNLOAD METADATA button, then click on the CONTINUE button.

    Frame 5 (1)-20240619-171636.png

  6. Enter your ACS URL and Entity ID into the corresponding fields, then click on the CONTINUE button.

    Frame 6 (2)-20240619-172326.png

READER NOTE

  • The ACS URL must start with https://, and end with /login.aspx

  • Both ACS URL and Entity ID starts with the format https://<YourD3Domain>/<path>/VSOC

  1. Click on the FINISH button in the Attribute mapping stage.

  2. Ensure that the OFF for everyone settings is configured for User access.

    Frame 7 (2)-20240619-175053.png

If it is not already set to OFF for everyone, click anywhere within the User access card. In the Service status page, select the OFF for everyone radio option, then click on the SAVE button.

Frame 8-20240619-175542.png

Create Google Workspace Users

  1. Navigate to Directory > Users, then click on the Add new user button.

    Frame 9 (1)-20240619-190050.png

  2. Enter in the required user information, then click on the ADD NEW USER button.

    Frame 10 (1)-20240619-190847.png

  3. Click on any of the following buttons based on your needs:

    Frame 11-20240619-191739.png

    1. PREVIEW AND SEND to reset the user password

    2. ADD ANOTHER USER to create another Google Workspace user

    3. DONE to complete the process

Your newly created Google Workspace user will now appear in the users table.

Frame 12-20240619-192656.png

Creating a Group

  1. Navigate to Directory > Groups.

    Frame 13-20240619-193208.png

2. Click on the Create group hyperlink.

Frame 14-20240619-193624.png

3. Enter the required fields, then click on the NEXT button.

Frame 15-20240619-194004.png

4. Customize your group settings, then click on the NEXT button.

Frame 16-20240619-194356.png

5. Click on the CREATE GROUP button.

Frame 17-20240619-194639.png

6. Click either the Add members to <group name> hyperlink, or the DONE button.

Frame 18 (1)-20240619-203459.png

Adding a Google Workspace User into the Group

  1. Click on the Add members hyperlink.

Frame 19-20240619-204011.png

  1. Add your your newly created user account(s), then click on the ADD TO GROUP button.

    Frame 20 (1)-20240619-205001.png

    1. An admin account, in addition, must be added.

READER NOTE

Ensure that all the users you intend to add to your group are displayed in pill form on the user interface, before you click the ADD TO GROUP button. The below image illustrates two pills.

  1. Verify that your user(s) have been added to your group.

Turning on the Service Status

  1. Re-navigate to Apps > Web and mobile apps.

    Frame 1-20240619-165453.png

  2. Click on your SAML application.

    Frame 21-20240619-211202.png

    1. Click on the User access card.

      Frame 22-20240619-212043.png

  3. Click the Groups accordion, then click on your group created in the Creating a Group section.

  4. Check the On checkbox, then click on the SAVE button.

    Frame 23 (1)-20240619-214556.png

READER NOTE

Before proceeding to the next section, ensure that you have:

  • Created D3 user accounts (Organization Management > Users > + Add Users). The SAMLEmailIDType configuration key in vSOC’s Application Settings > Web Config determines what your D3 username must be. Depending on its setting, your username could be either your full email address or the local part of your email. Refer to the FAQ section in the Authentication Configuration Guide for more details.

  • Assigned login methods to those D3 user accounts (Application Settings > Login Authentication > Users).

READER NOTE

To enable multiple users within your organization to access D3 vSOC, create a Google Workspace user for each individual, and add them into the SSO enabled group.

READER NOTE

If you choose to have D3 assist with the setup process, you have the option to send your SAML setup certificate to D3.

If your organization decides to perform the setup independently follow the below steps:

  1. Copy and paste https://accounts.google.com/o/saml2/initsso?idpid=<identity provider Id>&spid=<service provider Id> into D3 vSOC’s Target URL field (see the Login Authentication Configuration Guide for configuration details on the D3 vSOC side).

    1. The identity provider Id can be found by clicking on the DOWNLOAD METADATA button located at Apps > Web and mobile apps > YourApplicationName.

      Frame 27 (1)-20240621-021432.png

    2. You can find the service provider ID in your browser's URL bar at the same location.

      Frame 28-20240621-022819.png

  2. Copy and paste Google’s Certificate into into D3 vSOC’s Certificate field.

  3. Input your ACS URL into D3 vSOC. It should conform to the following format: https://<YourD3Domain>/<path>/VSOC/login.aspx.

WARNING

  • Do not copy Google’s SSO URL into D3 vSOC’s Target URL field. You will have to synthesize a user access URL, as we will call it here.

  • When synthesizing the user access URL ensure that you do not accidentally delete the ampersand (&) character immediately before the idpid query parameter.

    • This synthesizing the user access URL will look something like the following: https://accounts.google.com/o/saml2/initsso?idpid=C027n7bzh&spid=550052103502

Verify SSO Functionality with Your SAML App

TODO

Ensure that you have completed all steps in the Login Authentication Configuration Guide before proceeding to the following steps.

  1. Click on the TEST SAML LOGIN menu item within the vertical menu on the left hand side.

    Frame 24 (1)-20240619-215049.png

  2. Input your login credentials, then click on the Next buttons.

    Frame 25 (2)-20240619-220422.png

READER NOTE

  • If your app does not open in a separate tab, use the details provided the resulting SAML error messages to update your IdP settings. Then, retry the SAML login.

After logging in to Google successfully, you will be redirected to D3 vSOC.

Frame 22-20240615-205532.png

FAQs

I am seeing a “You are not an authenticated user“ message.

In your downloaded IdP metadata file (step 5 of the Setting Up Your Custom SAML Application section), you will find two ds:X509Certificate tags, each containing the value of your X.509 certificate. As shown in the image below, although the certificate may start with the same couple of alphanumeric characters, they end differently. If pasting one of these X.509 certificates into your D3 Login Authentication certificate configuration field (Configuration > Application Settings > Login Authentication > Certificate > Advanced Settings) does not work, try saving and using the other one.

Frame 26-20240619-222104.png

Alternatively, simply copy the certificate from the UI shown in step 5 of the Setting Up Your Custom SAML Application section into your D3 Login Authentication certificate configuration field.

Frame 45-20240619-224902.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close