Target
This applies to customers using HENNGE Access Control with Google Workspace.
Purpose
Configure HENNGE Access Control and Single Sign-On (SSO) for only some users of Google Workspace, so that login to Google Workspace is done through HENNGE Access Control.
Notes
1. By following the steps in this article, the Google Workspace login screen for the target users will be changed to HENNGE Access Control. Therefore, please carefully consider the scope of impact and the time of work before proceeding.
2. Information (Username and Password) for the administrator account of HENNGE Access Control is required.
3. Information (Username and Password) for the privileged administrator account of the Google Workspace tenant is required.
4. Google Workspace accounts with privileged administrator rights are excluded from Single Sign-On (SSO).
https://support.google.com/a/answer/6341409?hl=en-us
5. Before performing this task, make sure that users with the same email address are created in both Google Workspace and HENNGE Access Control.
If there is a mismatch in email addresses or if the user does not exist in either, the user will not be able to log in to Google Workspace.
6. If the operation does not work as expected, you may be asked to contact Google.
7. Even if only some users use HENNGE One products, you need to purchase the same number of licenses as Google Workspace.
HENNGE One License Concept
8. The content of this article is based on the product as of August 2024 and may change without notice thereafter.
Detailed Procedure and Explanation
1. Create a New Organizational Unit in Google Workspace
1.1. Create an organizational unit under the parent organization to register the target account.
Add an Organizational Unit
* You will be redirected to Google's support page.
1.2. Register the account you want to target for Single Sign-On (SSO) in the organizational unit added in 1.1.
Move Users to an Organizational Unit
* You will be redirected to Google's support page.
2. Set Up the Connected Service for HENNGE Access Control
Follow the steps below.
Temporary Setup of HENNGE One Connected Service
* STEP6 Metadata retrieval is not required.
3. Create an SSO Profile in Google Workspace
3.1. Access [ Google Admin Console ] → [ Security ] → [ Authentication ] → [ SSO with third-party IdP ].
3.2. From [ Third-party SSO Profile ] → [ Add SAML Profile ], set the following.
・SSO Profile Name: Any name
・IdP Entity ID: IdP Issuer copied in step 2
・Login Page URL: Single Sign-On URL copied in step 2
・Logout Page URL: Sign-Out URL copied in step 2
・Password Change URL: Single Sign-On URL copied in step 2
・Upload Certificate: SAML Signing Certificate obtained in step 2
3.3 After pressing [ Save ], [ Entity ID ] and [ ACS URL ] will be displayed in [ SP Details ], so keep a note of them.
4. Edit the Connected Service Settings for HENNGE Access Control
4.1. Edit the connected service created in step 2.
・ACS URL: ACS URL copied in step 4
・SP Issuer (Audience): Entity ID copied in step 4
4.2. Set access permissions for the connected service created in step 2.
・Refer to the following steps to configure access permissions to the created service provider for SSO target users or the access policy group containing SSO target users.
Configure Access Permissions to SP Service
*In this setting, the default service provider [Gmail] is not used, so if necessary, uncheck the default [Gmail] service provider from the overall access policy group.
5. Implement Google Workspace SSO Settings
5.1. Access [Google Admin Console] → [Security] → [Verify] → [SSO with third-party IdP] and click [Manage SSO Profile Assignment] → [Try it now] *.
* If it is not the first time assigning an SSO profile, click [Manage].
5.2. Select the organizational unit created in Step 1, choose [Another SSO Profile] → [SSO Profile created in Step 3] → [Redirect to this profile's IdP login page after prompting for username in Google] → click [Save].
5.3. Click [Domain-specific service URL], select "Prompt for username on Google's login page first," and click [Save].
※ If there are organizational units or groups not using SSO, be sure to select this setting. If this setting is not configured, users not using SSO may be automatically redirected to HENNGE Access Control and unable to log in.
6. Verify Connection
6.1. Verify whether the connection has been completed successfully.
・Verification for SSO target users
Users participating in the organization for SSO should access Google Workspace services, log in, and confirm that the HENNGE Access Control verification screen is displayed.
※ Google Workspace accounts with privileged admin rights are excluded from single sign-on (SSO).
・Verification for non-SSO target users
Users not participating in the organization for SSO should access Google Workspace services, log in, and confirm that the HENNGE Access Control verification screen is not displayed and they can log in.
Reference
・Set up SSO for your organization (Google Workspace Admin Help)