Connect to Google Workspace with SAML 2.0

Connect Google Workspace to FoxIDs with an SAML 2.0 authentication method. Google Workspace is a SAML 2.0 Identity Provider (IdP) and FoxIDs is acting as an SAML 2.0 Relying Party (RP).

By configuring an SAML 2.0 authentication method and a OpenID Connect application FoxIDs become a bridge between SAML 2.0 and OpenID Connect and automatically convert SAML 2.0 claims to JWT (OAuth 2.0) claims.

The Google Workspace OpenID Connect implementation is lacking, mostly because it does not support any custom claims or group claims. It is therefor recommended to use Google Workspace with SAML 2.0.

Configuring Google Workspace

This guide describe how to setup Google Workspace as a SAML 2.0 Identity Provider.

1 - Start by creating an SAML 2.0 authentication method in FoxIDs Control Client

  1. Select the Authentication tab
  2. Click New authentication and then Identity Provider (SAML 2.0)
  3. Add the Name e.g. Google Workspace
  4. Disable Automatic update

FoxIDs SAML 2.0 authentication method for Google Workspace

  1. Copy the Entity ID and ACS URL for later (marked with red arrows)

Leave the browser window open, we'll continue shortly.

2 - Then create an app in Google Workspace (Direct Google Workspace apps link)

  1. Select Apps and then Web and mobile apps
  2. Click Add app and then Add custom SAML app

Google Workspace add SAML app

  1. Add the App name e.g. FoxIDs app
  2. Click CONTINUE
  3. Download the Google Workspace metadata by clicking DOWNLOAD METADATA
  4. Click CONTINUE
  5. Add the ACS URL and Entity ID from FoxIDs
  6. In Name ID format select EMAIL

Google Workspace add SAML app

  1. Click CONTINUE
  2. Optionally add additional attributes / claims
  3. Click FINISH
  4. Click User access
  5. Select ON for everyone
  6. Click SAVE

Be patient, it may take a while before the Google app is ready.

3 - Then go back to the SAML 2.0 authentication method in FoxIDs Control Client

  1. Click Read metadata from file and select the Google Workspace metadata file
    The authentication method is configured

FoxIDs SAML 2.0 authentication method for Google Workspace

  1. Click Create
  2. Click Test authentication to test the Google Workspace connection
    You can log in with your Google Workspace account and se how the SAML 2.0 claims is converted to JWT claims

Google Workspace do not support logout.