Google workspaces SAML Authentication with Cognito
There are two major steps in setting up Google Workspace SAML authentication.
-
Create Groups
-
Setup SAML application.
These two steps require the user to login to Google Workspace as an admin user
-
Create Groups
PaladinCloud has 4 roles
-
AccountManager
-
ReadOnly
-
TechnicalAdmin
-
SecurityAdmin
Need to create 4 Groups as shown below.
Directory – – > groups – – > create group
![screenshot of group details](https://paladincloud.io/wp-content/uploads/2023/11/78153ced-0fc6-4970-866a-b21c2e478a57.png)
Click next and choose public and anyone in the organization can join and click on Create group
![screenshot of the access type settings](https://paladincloud.io/wp-content/uploads/2023/11/2.png)
-
Create SAML App
Note: ACS and entity ID are provided by PaladinCloud. These parameters will be used in Step 4 of creating SAML app.
Step 1:-
Apps –> web and mobile apps – – > Add app – – > Add custom SAML app
![Admin > Add App screenshot](https://paladincloud.io/wp-content/uploads/2023/11/3.png)
Step 2:-
Fill in the app details
![App details screenshot](https://paladincloud.io/wp-content/uploads/2023/11/4.png)
Step 3:-
In this step download the METADATAFILE to be provided to the PaladinCloud Team
![Download Metadata screenshot](https://paladincloud.io/wp-content/uploads/2023/11/5.png)
Step 4:-
Update ACS and entity ID which is provided by PaladinCloud Team.
![Service provider details screenshot](https://paladincloud.io/wp-content/uploads/2023/11/6.png)
Step 5:-
Update App attributes and the groups as shown below
![SAML attribute matching screenshot](https://paladincloud.io/wp-content/uploads/2023/11/7.png)
-
Primary email (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email)
-
First name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname)
-
Last Name
Google Groups:-
-
AccountManager
-
ReadOnly
-
TechnicalAdmin
-
SecurityAdmin
App attributes for the group is (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups)
Once the above values are updated click on FINISH
Step 6:-
Click on user access in service status and select ON for everyone as shown in the below diagram
![Screenshot of ON for everyone selected](https://paladincloud.io/wp-content/uploads/2023/11/9.png)
Once the above steps click on Save
This would complete the Setup for SSO and can be tested once the Paladin Cloud team installs the Metadata file on their side.