GSuite

How to configure Google as a relying party manually for TozID or Keycloak

Overview
Following this tutorial will show you how to complete the integration between TozID and GSuite. This will allow your organization to sign into all of their Google products using TozID. Additionally these configuration settings can be useful in any Keycloak based deployment. Note that with TozID your passwords never leave the client devices to add another layer of protection. Learn more at TozID.
TozID allows for instant configuration of GSuite. Simply select "Google SAML" from the drop down menu when creating a client.
Prerequisites
Admin access to GSuite
Admin access to your TozID Realm
30 minutes
TozID Configuration
Start by logging into your realm through the Tozny dashboard. Select clients from the left hand menu and then the create button on the top right. Enter the following values:
Client ID: google.com/a/<your_gsuite_domain> (eg google.com/a/tozny.com)
Client Protocol: saml
Client SAML Endpoint: empty
Client creation step
Once you've created the client application we can configure the details of our SAML integration. Below are the settings:
Setting
Value
Client ID
google.com/a/<your_gsuite_domain>
Name
Google
Enabled
ON
Client Protocol
SAML
Include AuthnStatement
ON
Sign Documents
ON
Sign Assertions
ON
Signature Algorithm
RSA_SHA256
SAML Signature Key Name
None
Canonicalization Method
Exclusive
Force POST Binding
ON
Front Channel Logout
ON
Force Name ID Format
ON
Name ID Format
email
Base URL
/auth/realms/<your_realm_name>/protocol/saml/clients/googleapps?RelayState=true
IDP Initiated SSO URL Name
googleapps
IDP Initiated SSO Relay State
True
Assertion Consumer Service POST Binding URL
https://www.google.com/a/<your_gsuite_domain>/acs
Configure the mapper which maps an email address to the SAML attribute of emailAddress. Navigate to the mappers tab of the client.
Gsuite Mapper Configuration
Extract your X509 certificate for upload to Google. To do this navigate to the Installation tab of the client application and select SAML Metadata IDPSSODescriptor from the drop down. You need to select only the text between the tag <dsig:X509Certificate>. Save that to a new text file called cert.pem.
GSuite Configuration
Navigate to the GSuite Admin portal. Once logged in go to the security section of the portal.
Expand the section labeled Set up single sign-on (SSO) and enter the following values with your realm where applicable.
Setting
Value
Setup SSO with third party identity provider
CHECKED
Sign-in Page URL
https://api.e3db.com/auth/realms/<your_realm_name>/protocol/saml/clients/googleapps
Sign-out Page URL
https://id.tozny.com/<your_realm_name>
Change Password URL
https://id.tozny.com/<your_realm_name>
Verification Certificate
Upload your cert.pem file
User a domain specific issuer
CHECKED
Gsuite configuration
You're all set! Save those settings and when you navigate to your gsuite gmail domain you'll be able to login with your TozID account.

Setting	Value
Client ID	google.com/a/<your_gsuite_domain>
Name	Google
Enabled	ON
Client Protocol	SAML
Include AuthnStatement	ON
Sign Documents	ON
Sign Assertions	ON
Signature Algorithm	RSA_SHA256
SAML Signature Key Name	None
Canonicalization Method	Exclusive
Force POST Binding	ON
Front Channel Logout	ON
Force Name ID Format	ON
Name ID Format	email
Base URL	/auth/realms/<your_realm_name>/protocol/saml/clients/googleapps?RelayState=true
IDP Initiated SSO URL Name	googleapps
IDP Initiated SSO Relay State	True
Assertion Consumer Service POST Binding URL	https://www.google.com/a/<your_gsuite_domain>/acs

Setting	Value
Setup SSO with third party identity provider	CHECKED
Sign-in Page URL	https://api.e3db.com/auth/realms/<your_realm_name>/protocol/saml/clients/googleapps
Sign-out Page URL	https://id.tozny.com/<your_realm_name>
Change Password URL	https://id.tozny.com/<your_realm_name>
Verification Certificate	Upload your cert.pem file
User a domain specific issuer	CHECKED

Dropbox (Quick Setup)

Office 365

Last modified 8mo ago