SSO with Google Workspace

Introduction

This KB article takes you through the steps required to integrate Google Workspace with BMS with SSO process.

Prerequisite

You should have an active Google Workspace admin account (https://admin.google.com/?pli=1).

Setting up Google Workspace

1. Login and navigate to the admin dashboard.
2. Once you navigate to the admin dashboard, go to Apps > Web and mobile apps > Add App > Add custom SAML app.
   
   

App details

1. Fill in the app name, description and attach an app icon.
2. Click Continue.
   
   

Google identity provider details

1. ACS URL: Enter the ACS URL. The ACS URL should be in the format https://<your PSA server URL>/SAML/Connect.aspx.
2. Entity ID: Enter your PSA server URL in the format https://<BMS server name>.com.
3. Select the Signed response checkbox.
4. Name ID format: Select Email.
5. Name ID: Select Basic information > Primary email.
6. Click Continue.
   
   

Attribute mapping

Below are the attributes used in Google Workspace.

Google Directory Attributes	App Attributes
Primary email	email
First name	firstname
Last name	lastname
Primary email	username
CompanyName	kaseya support

Please note that CompanyName is a custom attribute.

How to create a custom attribute

1. Navigate to Directory > user > More options > Add custom attributes.
2. From the Category dropdown, select Custom attribute.
3. In the Custom Fields field, enter CompanyName.
4. From the Info Type dropdown, select Text.
5. From the Visibility dropdown, select Visibility to user and admin.
6. From the No. of Values dropdown, select Single Value.
7. Click Save.
   
   
   

Custom attribute and its application

In the custom app

The custom attribute will be used in two places.

1. Navigate to Apps and click SAML attributes mapping.
   
   
2. Click Add mapping.
   
   
3. Click Select field.
   
   
4. Move your cursor to the extreme bottom and select the custom attribute which you have created.
   
   
5. Enter your tenant name. (To find out the tenant name, go to BMS > My Profile > My Settings > Company Name. The company name is the tenant name. It is case sensitive.)
   
   
6. Click Save.

User for whom the SSO needs to be enabled

1. Navigate to Users. Click the name of the particular user.
   
   
2. Expand User information.
   
   
3. Click Edit and add your tenant name.
   
   
4. Enter your tenant name. (To find out the tenant name, go to BMS > My Profile > My Settings > Company Name. The company name is the tenant name. It is case sensitive.)
   
   
   
   
   

User access for the app created

1. Click User access.
   
   
2. Select the users.
3. Click Save.

Custom SAML login endpoint URL

1. Copy the SSO URL and paste it in BMS. Username and SPID are not needed now.

2. Navigate to Apps > Web and mobile apps > Download Metadata.
   
   
3. Navigate to Admin > My Company > Auth & Provision and paste the SAML Login Endpoint URL.
   
   

Downloading the certificate

1. Download the certificate.
   
   

2. IMPORTANT   Once the file is downloaded, go to the Downloads folder, right-click and rename the file with .cer file extension in case it shows some other file extension.

3. After the extension is changed, add the file to BMS.
   
   
4. Select the file, click Upload Certificate, and then click Save. 

BMS setup

1. Navigate to HR > Employees. Open the particular user's profile and enable SSO for the user.
   
   
2. Once the SSO has been enabled for the user, the user will be able to log into the BMS instance now with the gateway URL. The user can also click on it.