• Pre-requisites
• Steps
  • 1. In the Command Center, configure your User Identity Provider
  • 2. Launch a new Application Integration in Google Workspace
  • 3. Save the Google Workspace fields in the CSE Command Center

Google Workspace SSO allows Google Workspace organizations to have users sign in to all their applications using their managed Google account credentials. Cloud Secure Edge (CSE) integrates with your organization’s Google Workspace SSO to authenticate enterprise users that need access to CSE-secured services.

Pre-requisites

• admin access to Google Workspace and permissions to add a new SAML app.

Steps

1. In the Command Center, configure your User Identity Provider

1.1 Navigate from Settings > Identity and Access tab > End User tab. Under Provider Name, select Other and enter Google Workspace in the field below. Under Provider Protocol, select SAML.

1.2 Note the Redirect URL provided in the configuration field.

2. Launch a new Application Integration in Google Workspace

2.1 Log into your Google Workspace Admin account.

2.2 Navigate from Apps > SAML apps.

2.3 Choose Setup My Own Custom App.

2.4 Take note your SSO URL, download the certificate, and then select Next.

2.5 Name the application CSE TrustProvider, upload the CSE logo, and then select Next.

2.6 When asked for ACS URL and Entity ID, use the Redirect URL you obtained in Step 1.2. Set the Name ID Format to EMAIL.

2.7 Set up the attribute mappings. CSE requires your IDP’s returned SAML assertion to contain attributes that can be mapped to a user’s email, username, and groups.

Set the Attribute Mappings as follows:

• email -> Primary Email
• name -> Last Name

If you have groups, then search for your group under Group membership (optional) and add your required groups to the groups App attribute; these will then be returned in the groups attribute when your end users authenticate.

2.8 Select Save to save the application details in Google Workspace.

2.9 Select the CSE TrustProvider SAML app (created in Step 2.5) and set to ON for everyone. This will allow CSE to federate authentication of all users in your organization to your SAML IDP.

Note: Apply Policies in the Command Center to manage which users can access specific internal applications.

3. Save the Google Workspace fields in the CSE Command Center

3.1 Return to the Identity Provider page in the Command Center (Settings > Identity and Access tab > End User tab) and enter the CSE TrustProvider app parameters from Google Workspace:

• IDP SSO URL (from Step 2.4)
• Entity Issuer - Leave this optional field blank. It will default to the Redirect URL.
• IDP CA Certificate (from Step 2.4)
• Username Attribute (from Step 2.7)
• Email Attribute (from Step 2.7)
• Groups Attribute (from Step 2.7)
• Groups Delimiter – Do not use this field. Entering an incorrect value may lead to configuration errors and behaviour issues. Please contact CSE Support for assistance.

3.2 Select Update Identity Provider Config to save the settings.

---