Target
- Customers configuring Single Sign-On (SSO) between HENNGE Access Control and Google Workspace
Purpose
- Configure Single Sign-On (SSO) between HENNGE Access Control and Google Workspace, enabling login to Google Workspace from HENNGE Access Control.
Notes
- By following the steps in this article, the login screen for Google Workspace will be changed to HENNGE Access Control for the target users.
Therefore, please consider the scope of impact and working hours carefully before proceeding. - The information of the HENNGE Access Control administrator account (username and password) is required.
- The information of the privileged administrator account of Google Workspace (username and password) is required.
- Super administrators of Google Workspace are not eligible for Single Sign-On (SSO).
https://support.google.com/a/answer/6341409?hl=en-us -
Prior to performing this operation, ensure that users with the same email address exist in both Google Workspace and HENNGE Access Control.
If there is a mismatch in email addresses or if a user does not exist in either system, the user will be unable to log in to Google Workspace. - If the operation does not behave as expected, you may be asked to contact Google for assistance.
- Even if only a portion of users are using HENNGE One products, the same number of licenses as Google Workspace licenses must be purchased.
Understanding HENNGE One licenses - The content of this article is based on the product as of November 2024 and is subject to change without notice.
Procedures
Creating a New Organizational Unit in Google Workspace
This procedure is performed when you want to implement HENNGE Access Control and SSO integration for only a subset of users. If you want to implement SSO integration for all users, proceed to the next step, "Setting up the Service Provider for HENNGE Access Control".
1. Create an organizational unit under the parent organization for the target accounts to be registered.
Add an organizational unit
※ Redirects to Google's support page.
2. Register the accounts you want to target for Single Sign-On (SSO) in the organizational unit created in step 1.
Move users to an organizational unit
※ Redirects to Google's support page.
Setting up the Service Provider for HENNGE Access Control
Follow the steps below.
Provisional setup of HENNGE One Service Provider
※ STEP 6: Metadata acquisition is not required.
Creating a Google Workspace SSO Profile
1. Access [Google Admin Console] - [Security] - [Authentication] - [SSO with third-party IdP].
2. Configure the following under [Third-party SSO profiles] - [ADD SAML PROFILE].
※ Use the values obtained in "Setting up the Service Provider for HENNGE Access Control".
- SSO Profile Name: Any name
- IdP Entity ID: Paste the IdP Issuer
- Sign-in page URL: Paste the SSO login URL
- Sign-out page URL: Paste the Logout URL
- Change password URL: Paste the SSO login URL
- Upload certificate: Upload the obtained SAML signing certificate
3. After pressing [SAVE], note down the [Entity ID] and [ACS URL] under [SP details].
Editing the Service Provider Settings in HENNGE Access Control
1. Edit the service provider created in "Setting up the Service Provider for HENNGE Access Control".
- ACS URL: Paste the ACS URL from step 3 of "Creating a Google Workspace SSO Profile"
- SP Issuer (Audience): Paste the Entity ID from step 3 of "Creating a Google Workspace SSO Profile"
2. Set access permissions to the service provider created in "Setting up the Service Provider for HENNGE Access Control".
Refer to the following steps to set access permissions to the service provider for SSO-targeted users or access policy groups where SSO-targeted users are stored.
Setting access permissions to SP services
※ The default service provider [Gmail] is not used, so if necessary, uncheck the [Gmail] service provider set by default from the overall access policy group.
Implementing Google Workspace SSO settings
When setting up SSO integration for all users
1. Access [Google Admin Console] - [Security] - [Authentication] - [SSO with third-party IdP], and click [Manage SSO profile assignments] - [Try it] ※.
※ If [Try it] is not displayed, click [Manage].
2. Select the top-level organizational unit, and from [Select SSO profile], specify the profile prepared in the "Creating a Google Workspace SSO profile" procedure from the dropdown list.
3. Click [Have Google prompt for their username, then redirect them to this profile's IDP sign-in page] - [Save].
When setting up SSO integration for specific users
1. Access [Google Admin Console] - [Security] - [Authentication] - [SSO with third-party IdP], and click [Manage SSO profile assignment] - [Try it] ※.
※ If [Try it] is not displayed, click [Manage].
2. Select the organizational unit prepared in "Creating a New Organizational Unit in Google Workspace" and specify the profile prepared in the "Google Workspace SSO profile" procedure from [SSO profile] dropdown list.
3. Click [Have Google prompt for their username, then redirect them to this profile's IDP sign-in page] - [Save].
4. Click [SSO with third-party IdP] - [Domain-specific service URL], select "Request user input for username on Google's login page first," and then click [Save].
※ If there are organizational units or groups not using SSO, be sure to select this setting. Failure to do so may result in users not using SSO being automatically redirected to HENNGE Access Control and unable to log in.
Connection verification
- Verification for SSO target users
Access Google Workspace services as a user in the SSO-enabled organization, log in, and confirm that the HENNGE Access Control authentication screen is displayed.
※ Google Workspace accounts with admin privileges are not subject to Single Sign-On (SSO). - Verification for users not subject to SSO
Access Google Workspace services as a user not part of the SSO-enabled organization, log in, and confirm that you can log in without the HENNGE Access Control authentication screen appearing.
Reference
- Setting up SSO for your organization (Google Workspace Admin Help)