Setup Google Workspace SAML with Provisioning (Guide)

Contents

Purpose

Google Workspace (formerly known as G-Suite) offers single sign-on via SAML integration with Practice Protect. This provides a seamless login experience to the Google apps (ex. Gmail, G-Drive & etc.) using IdP-initiated SAML.

Practice Protect will configure this on your behalf. Please send us an email at support@practiceprotect.com

It also has an option to enable provisioning. With provisioning enabled, it allows Practice Protect to manage user account creation and user information updates. Providing a centralised management platform for your employee’s access to Google Apps.

Prerequisites

The following will be required to complete this process.

System Administrator access to Practice Protect Portal
Google Workspace business subscription (Starter, Standard or Plus)
Account with Super Admin rights on Google Workspace (must not be a regular account).
A domain registered and verified on Google Workspace.

Instructions

Login to Practice Protect using an Admin Account. Once logged in, Switch to Admin Portal. You will be routed to the admin portal page.
On Core Services, Click on Roles > Add Roles. Create a role and set the name field to “Google Workspace Email Integration Users“. Then Save.
With the created role, click on Members > Add. Add each member/user that will be part of the Integration. Then click Save.
Next step is to add the Google Workspace SAML app. Proceed to Apps > Add Web Apps
On the app catalog, search for “Google Workspace” and Add the app Google Workspace (SAML + Provisioning). Hit “Yes” to add the application. Close after.
On the Settings, enter the Primary Domain in the Your Primary Domain in Google Workspace field. Click Save.
Go to Trust > On Identity Provider Configuration, select Manual Configuration > On Signing Certificate, Click Download to download the certificate to your local drive. Copy the Sign-in page URL and Sign-out page URL and paste it on notepad temporarily. You will use these (certificate, sign-in and sign-out URL) data on the SSO configuration in Google Workspace later.
Scroll down and go to Service Provider Configuration > select Manual Configuration > On Recipient, tick the box Same as ACS URL. Leave the others as default then click Save.
Going down to the SAML Response settings. Add Script to set custom claims, remove line 8 and replace it with the following and Save.
var Relay = 'https://workspace.google.com/dashboard'; setRelayState(Relay);
On a separate browser tab, login to Google Admin page. On the left navigation menu, go to Security > Authentication > SSO with third party IdP.
Click ADD SSO PROFILE on third-party SSO profile for your organization.
Copy Sign-in page URL and Sign-out page URL from Step 8 and paste it on the corresponding required fields. On the verification certificate, upload the certificate that was downloaded (Step 8).
On Change password URL field, paste the Practice Protect tenant URL (i.e. https://yourtenantdomain.id.cyberark.cloud/). Leave the other settings as default then click Save.Note: Make sure that Set up SSO with third party identity provider is switch off as once enabled, users will redirect to Practice Protect right away to access their Google Workspace apps.
(Optional) As this is company wide change, excluding a group of users can be done by following this guide

Enable and Setup Provisioning

Return to Google Admin and proceed to API Controls > MANAGE THIRD-PARTY APP ACCESS
Click on Add App > OAuth App Name or Client ID. Search for the app name below
736006718218-v15dghc4juspi26qv6f4omas8drqgprj.apps.googleusercontent.com
Select Cyberark Next-Gen Access and on the App Access, choose “Trusted: Can access all Google services” and click Configure.
Return to Practice Protect Admin Portal and on the Web Apps, find and click the app “Google Workspace” that was created on Step 6.
Within the app menu, select Provisioning and then tick the box “Enable provisioning for this application”. This reveals the configuration settings that requires to be setup.
In order to proceed, make sure that Live Mode is selected and click Authorize. This will prompt you to login on Google Workspace. Use the Super Admin account credential.
Click ALLOW to authorize Practice Protect Identity Service to provision users. It will notify you once authorization is successful.
Note: If the rest of configuration settings are still not loading even after a successful authorization, just refresh the page where provisioning settings is open.
On Sync Options, tick the box of the following:
– Sync (overwrite) users to target application when existing users are found with the same principal name.
– Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role.
– User Deprovisioning Options: Disable user
– Deprovision (deactivate or delete) users in this application when they are disabled in the source directory
Scroll down to Role Mapping and click Add. New pop-up setting will show up (Role mapping).
– Role field, select the role that was created from Step no. 3 (i.e Google Workspace Email Integration Users).
– Destination Organizational Unit field, select the OU that corresponds to the created Role in Google Workspace(i.e /Administrator). Otherwise select “/” for all.
– Destination Domain/Group select the desired domain if you have more than 1 domain. Otherwise leave blank.

This is how you can also map a Group from Google Workspace and that is by creating equivalent Role in Practice Protect, assign the members then map it on the Role Mapping Provisioning Settings.
Hit Done to apply. Then select Save.
NOTE: When you create a user in Practice Protect then assign that user to the Role (i.e Google Workspace User) that user will be provision (created) to its corresponding Destination Organizational Unit (OU) in Google Workspace once synced.
The next step below is to add a provisioning script
- On Provisioning, click on Provisioning Script. Within the script editor remove all of them and replace it with the below:
  
  if (source.Classification == "User") { destination.DisplayName = source.DisplayName; destination.PrimaryEmail = source.Email;
  trace('DisplayName=' + destination.DisplayName); trace('PrimaryEmail=' + destination.PrimaryEmail);
  var nameTokens = source.DisplayName.split(" "); destination.FirstName = nameTokens[0]; if (nameTokens.length == 1) { destination.LastName = nameTokens[0]; } else { destination.LastName = nameTokens.slice(1, nameTokens.length).join(" "); }var proxyAddresses = source.Get("Proxy_Addresses"); if (proxyAddresses !== null && proxyAddresses.Length > 0) { var addrString = ""; for (var i = 0; i < proxyAddresses.Length; i++) { if (addrString) { addrString += "," + proxyAddresses[i]; } else { addrString = proxyAddresses[i]; }} destination.Aliases = addrString;}}
  if (source.Classification == "Group") { var propArr = getSourcePropertyByName("description"); if (propArr && propArr.Length) { destination.Description = propArr[0]; } destination.Email = source.Email; propArr = getSourcePropertyByName("name"); if (propArr && propArr.Length) { destination.Name = propArr[0]; }}
- Script should look like this.
- Hit Save to apply.
- Go to Settings > Customization > Additional Attributes > Click Add. On Additional Attribute page Enter Proxy_Addresses on the Name field then select Text on the Type Click Add.
- (Optional) Add new email aliases/proxy addresses for the users if necessary. Go back to Core Services > Users > Click on the desired user > Additional Attributes > Add the additional alias on Proxy_Addresses value. If multiple, make sure to separate each aliases by a comma (,) i.e. alias1@emaildomain.com, alias2@emaildomain.com
- Click Save.
Start manual synchronization by going to the Settings > Users > Outbound Provisioning. On Provisioning Enabled Applications > Select the app (e.g. Google Workspace) and press Start Sync
You can view the real time status of synchronization by clicking on View Synchronization Job Status and Reports. Once the Synchronization is successful and completed for all users, any changes in Practice Protect will reflect in Google Workspace.
This completes the configuration setup of Google Workspace with Provisioning for Practice Protect.

Remove Google Workspace administrator privileges (Super Admin)

Accounts that has Super Admin rights will not be email integrated so in order to apply, one should consider removing its privilege and set it as a regular user. You can still re-apply low type of privilege (User Management)

Take note that there should be at least one Super Admin Account within Google Workspace for revoking any poor changes and serve as a fallback.

In the Google Admin Console, go to the left navigation Menu > Directory > Users. You must be signed in as a Super Admin for this task.
Select and click the user’s name of the admin you wish revoke privilege. This should open their account setup page.
Click the Admin roles and privilege
Select the desired role (Ex. Super Admin). then click on the slider to revoke or remove the role.
At the bottom section, click Save. You’ll get a pop-up confirmation message that the roles has been updated.

Enable Google Workspace Email Integration

Return to Google Admin SSO settings through this page and enable SSO by ticking the box “Set up SSO with third-party identity provider” and hit Save to apply changes.
Return to the Google Workspace tile in the Practice Protect Admin Portal. Choose Permissions. On Permissions, Add the role which contains the users for email integration (i.e. Google Workspace Email Integration Users) and click Save to apply. This should display the app on their user portal and can be used once activated.
Test by signing in to any Google Workspace apps (Gmail, G-Drive, etc.) directly in the browser or mobile app (if using). Enter Email/Username then click Next. This should redirect the page to Practice Protect for login authentication.