GSuite
Following this tutorial will show you how to complete the integration between TozID and GSuite. This will allow your organization to sign into all of their Google products using TozID. Additionally these configuration settings can be useful in any Keycloak based deployment. Note that with TozID your passwords never leave the client devices to add another layer of protection. Learn more at TozID.
TozID allows for instant configuration of GSuite. Simply select "Google SAML" from the drop down menu when creating a client.
Admin access to GSuite
Admin access to your TozID Realm
30 minutes
Start by logging into your realm through the Tozny dashboard. Select clients from the left hand menu and then the create button on the top right. Enter the following values:
Client ID: google.com/a/<your_gsuite_domain> (eg google.com/a/tozny.com)
Client Protocol: saml
Client SAML Endpoint: empty
Once you've created the client application we can configure the details of our SAML integration. Below are the settings:
Setting | Value |
Client ID | google.com/a/<your_gsuite_domain> |
Name | |
Enabled | ON |
Client Protocol | SAML |
Include AuthnStatement | ON |
Sign Documents | ON |
Sign Assertions | ON |
Signature Algorithm | RSA_SHA256 |
SAML Signature Key Name | None |
Canonicalization Method | Exclusive |
Force POST Binding | ON |
Front Channel Logout | ON |
Force Name ID Format | ON |
Name ID Format | |
Base URL | /auth/realms/<your_realm_name>/protocol/saml/clients/googleapps?RelayState=true |
IDP Initiated SSO URL Name | googleapps |
IDP Initiated SSO Relay State | True |
Assertion Consumer Service POST Binding URL | https://www.google.com/a/<your_gsuite_domain>/acs |
Configure the mapper which maps an email address to the SAML attribute of emailAddress. Navigate to the mappers tab of the client.
Extract your X509 certificate for upload to Google. To do this navigate to the Installation tab of the client application and select SAML Metadata IDPSSODescriptor from the drop down. You need to select only the text between the tag <dsig:X509Certificate>. Save that to a new text file called cert.pem.
Navigate to the GSuite Admin portal. Once logged in go to the security section of the portal.
Expand the section labeled Set up single sign-on (SSO) and enter the following values with your realm where applicable.
Setting | Value |
Setup SSO with third party identity provider | CHECKED |
Sign-in Page URL | https://api.e3db.com/auth/realms/<your_realm_name>/protocol/saml/clients/googleapps |
Sign-out Page URL | https://id.tozny.com/<your_realm_name> |
Change Password URL | https://id.tozny.com/<your_realm_name> |
Verification Certificate | Upload your cert.pem file |
User a domain specific issuer | CHECKED |
You're all set! Save those settings and when you navigate to your gsuite gmail domain you'll be able to login with your TozID account.