Integrate Google Workspace with Conditional Access

In this topic, you will find general instructions on how to integrate Google Workspace with Portnox™ Conditional Access for Applications.

Important: This configuration assumes that your identity provider is different from Google Workspace, or that it is another instance of Google Workspace. You cannot use the same instance of Google Workspace both as your identity provider and as your application.

You can use this configuration, for example, if you use Entra ID for user management, and you want your users to access Google Workspace applications. Then, your users logging in to Google applications (such as Gmail, Google Docs, and more) will be authenticated using Conditional Access certificates and Entra ID credentials, not their Google passwords.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with Google Workspace as an application.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Applications option.

  3. On the Applications screen, click on the Add application button, and select the Add new SAML application option.

  4. Optional: If you have more than one SAML identity provider configured, select the identity provider in the Select an identity provider to use for this application section.
  5. In the Application details section, enter an Application name and optionally a Description.

    In this example, we used the name Google Workspace for the new application configuration but you can use any name you like.

  6. Keep this browser tab open. You will need it later.

Open your Google Workspace SSO with third-party IdP settings

In this section, you will access your Google Workspace SSO settings page for third-party identity providers and create a new third-party SSO profile.

  1. In another tab of your browser, open your Google Workspace Admin page for SSO with third-party IdP by accessing the following URL: https://admin.google.com/ac/security/sso.

    From now on, we will call this tab the Google Workspace tab.

  2. In the Third-party SSO profiles section, click on the ADD SAML PROFILE link.

  3. In the SAML SSO profile pane, in the SSO profile name field, enter a name for this profile.

    In this example, we used the name Portnox Conditional Access but you can use any name you like.

Copy configuration values from the Portnox tab to the Google Workspace tab

In this section, you will copy the values displayed by Portnox Cloud and paste them in the relevant fields in the Google Workspace new SAML SSO profile pane.

  1. In the Portnox tab, in the Service details section, click on the  ⧉  icon next to the Identity Provider Entity ID / Audience URI field to copy the value.

  2. In the Google Workspace tab, click on the empty field under the IDP entity ID label and paste the value copied from Portnox Cloud.

  3. In the Portnox tab, in the Service details section, click on the  ⧉  icon next to the Sign-In URL / SSO URL field to copy the value.

  4. In the Google Workspace tab, click on the empty field under the Sign-in page URL label and paste the value copied from Portnox Cloud.

  5. In the Portnox tab, in the Certificates > Signing certificates section, click on the  ⋮  icon next to the Active certificate and select the Download certificate option to download the certificate to the local drive.

  6. In the Google Workspace tab, click on the UPLOAD CERTIFICATE link and upload the downloaded certificate file.

  7. Click on the SAVE button to save the profile and display values that you will need to copy to the Portnox tab.

Copy configuration values from the Google Workspace tab to the Portnox tab

In this section, you will copy the values displayed in your Google Workspace SAML SSO profile section, and paste them in the relevant fields in Portnox Cloud.

  1. In the Google Workspace tab, in the SAML SSO profile > SP details section, click on the  ⧉  icon in the Entity ID field to copy the value to the clipboard.

  2. In the Portnox tab, in the Application properties section, click on the empty field under the Entity ID / Service Provider Entity URL heading and paste the value copied from Google Workspace.

  3. In the Google Workspace tab, in the SAML SSO profile > SP details section, click on the  ⧉  icon in the ACS URL field to copy the value to the clipboard.

  4. In the Portnox tab, in the Application properties section, click on the empty field under the Assertion Consumer Service (ACS) URL / Reply URL heading and paste the value copied from Google Workspace.

Finalize the configuration

In this section, you will finalize the configuration in Portnox Cloud and Google Workspace.

  1. Finalize the configuration in the Portnox tab.
    1. Optional: In the POLICY ASSIGNMENTS section, change the setting to Application-based and then select an access control policy and a risk assessment policy if you want to control access to this application without using groups.
    2. Scroll all the way down to the end of the page, and then click on the Save button.

  2. Finalize the configuration in the Google Workspace tab.
    1. In the Manage SSO profile assignments section, click on the GET STARTED link.

    2. On the left-hand side, select the groups or organizational units that you want to use Conditional Access to log in, and then on the right-hand side, select the Another SSO profile option, in the Select SSO profile field select the profile you just added, and then activate the following option: Have Google prompt for their username, then redirect them to this profile’s IDP sign-in page. Then, click on the SAVE button.

Result: You have configured Google Workspace to be accessible using Portnox Conditional Access for Applications.

Note the following troubleshooting information:

  • Google Workspace does not enforce third-party IdP for users with Admin privileges, even if they belong to a group or organizational unit configured to use a third-party IdP. These users are always asked for their Google passwords.

  • When creating a new user, we recommend that you assign that user to a temporary organizational unit or group with no IdP requirement, so that the user can activate their account and create a Google password. After the user activates their account, you can assign them to the third-party IdP login unit/group. Otherwise, this may cause problems with the first login.