Google Workspace

Overview

This document describes the procedure to configure your organization's Google Workspace domain within the AdminX portal to use it as a passwordless authentication solution for your organization's Google Workspace users. This integration will allow your users to log in to their Google Workspace account leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

1. Admin access to the following:

• AdminX portal: If your organization is not registered with the AdminX portal, visit the Sign Up page for your organization’s AdminX portal registration. The 1Kosmos representative will create an account for your respective organization within the AdminX portal.

• Google Cloud Platform

• Google Admin Console

2. Install on your mobile device:

• BlockID mobile application (Compatible with iOS and Android devices). Visit the BlockID for Android or BlockID for iOS to download the application.

Assumptions

• With the above prerequisites, you should now successfully be registered and be able to login to:

• AdminX portal

• Admin access to your organization's Google Cloud Platform and Google Admin Console

• Installed and registered the BlockID mobile application.

• Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID Platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID mobile application User Guide for step by step understanding of the Biometrics Enrollment process within the BlockID mobile application.

Perform the following tasks to enable this integration:

1. Google Workspace configurations
2. AdminX portal configurations

List of Topics:

1. Create a Service Account on Google Cloud
2. Add domain-wide delegation to a service account
3. Create a private key for your organization's service account
4. AdminX portal configurations a. Issue IDP Certificate from AdminX portal
5. Google Admin Console SSO configurations for auto-generated IDP configuration by AdminX portal
6. Test the SAML Single Sign-On Connection

Create a Service Account on Google Cloud

These configurations need to be performed before integrating your Google Workspace domain into the AdminX portal.

Note:

The following steps will be performed by your Google Cloud administrator.

1. Log in to your organization's domain's Google Cloud Platform (GCP) console site.
2. In the Google Cloud Platform home screen, click the Down arrow icon on the GCP project next to the Google Cloud Platform heading. A dialog box is displayed with the list of current projects.
3. In the dialog box, click the NEW PROJECT option from the upper right corner. The New Project screen is displayed.
4. In the New Project screen, enter the following details:

• Project Name: Enter the appropriate name for your project.

• Organization: Select the appropriate organization name to attach it to your project.

• Location: Select the appropriate name of your parent organization or folder.

• Click CREATE. The GCP API Console Dashboard screen is displayed. The Google Cloud Platform home screen is displayed with the Notifications message box to show the new project creation progress.

7. In the Google Cloud Platform home screen with the Notifications message box, click on the SELECT PROJECT option for the newly created project once the project is successfully created. The Google Cloud Platform home screen is displayed with the newly created project name next to the Google Cloud Platform heading.

8. In the Google Cloud Platform home screen with the newly created project name next to the Google Cloud Platform heading, from the top left corner, click on the Navigation menu icon. The Navigation menu is displayed in the left pane.

9. In the left pane, navigate to ALL PRODUCTS > IAM & Admin > Service Accounts from the Navigation menu. The Service accounts screen is displayed.

   

10. In the Service accounts screen, click CREATE SERVICE ACCOUNT. The Create service account screen is displayed.

11. In the Create service account screen, enter the following details:

• Service account name: Enter the appropriate name for the service account.

• service account description: Enter the appropriate description for the service account.

• Click Done. The newly created service account is displayed in the list for the selected project.

• In the Service accounts screen, click on the newly created service account. The Service account details screen is displayed for the selected service account.

12. In the Service account details screen for the selected service account, copy the Email and Unique ID values and save those values to be used in the AdminX Console while performing one-click SAML integration with your organization's Google Workspace domain.

Add domain-wide delegation to a service account

Note:

The following steps will be performed by your Google Admin Console administrator.

1. Log in to your organization domain's Google Admin Console) site.

2. In the Google Admin console home screen, from the top left corner, click on the Navigation menu. The Navigation menu is displayed in the left pane.

3. In the left pane, navigate to Security > API controls from the Navigation menu. The API Controls screen is displayed.

4. In the API Controls screen, from the Domain wide delegation section, click on the MANAGE DOMAIN WIDE DELEGATION link.

5. In the Domain wide delegation screen, click Add new. The Add a new Client ID dialog box is displayed.

6. In the Add a new Client ID dialog box, enter the following details:

• Client ID: Paste the copied and saved Unique ID value of the newly created service account in the Create a Service Account on Google Cloud topic.

• OAuth Scopes: Enter the Google Workspace domain scope as https://apps-apis.google.com/a/feeds/domain/ that the application can access. This scope is important and allows making changes in organization settings.

• Click Authorize. The Domain wide delegation screen is displayed with the newly created domain-wide delegation in the list of domain-wide delegations.

Create a private key for your organization's service account

1. Log in to your organization's Google Cloud Platform site.
2. From the left pane, navigate to ALL PRODUCTS > IAM & Admin > Service Accounts. The Service accounts screen is displayed.
3. In the Service accounts screen, open your organization's appropriate service account.
4. In the Service accounts screen for the selected service account and click on the KEYS tab.

• In the Keys tab, click ADD KEY and click Create new key. The Create private key for "<project_name>" window is displayed for the selected project.

• In the Create private key for "<project_name>" window, select the JSON option from the Key Type section and click CREATE. The Private key saved to your computer dialog box is displayed with the JSON file name.

• In the Private key saved to your computer dialog box, click CLOSE. The JSON file will be downloaded on your computer.

• Open the downloaded JSON file. It contains your project's service account private key, that will be used in the AdminX Console while performing one-click SAML integration with your organization's Google Workspace domain.

AdminX portal configurations

This is a one-click app Google Workspace integration that will automatically generate a Service Provider (SP) configuration to add in your Google Workspace domain to enable SAML 2.0 integration and use the AdminX portal as an IDP for your passwordless login.

Note:

The following steps will be performed by your AdminX portal administrator.

1. Log in to the AdminX portal, navigate to Applications > Add Application.

2. In the Add new applications screen, click on the Add integration link for the Google Workspace SAML option from the Pre-built integrations section.

3. In the Google Workspace screen, enter the following values:

• Application Name: Enter the name for your Google Workspace domain.

• In the Service provider info section:

• Google Workspace Domain: Enter your organization's Google Workspace Domain URL without starting with the http:// or https://. This will be mentioned in your admin Gmail id used to create the project in the GCP API console. For example, if your Gmail id used is user@yourorganization.org, your Google Workspace domain is yourorganization.org.

• Service Account Email: Enter your saved service account's email id from the Email field as mentioned in the service account configuration topic.

• Admin Email: Enter your admin Gmail id used to create the project in the GCP API console.

• Service Account Private Key: Enter your saved service account's private key from the downloaded JSON file as mentioned in the service account configuration topic.

• Click Connect. This will add your Google Workspace domain within the AdminX portal and enable it for passwordless authentication.

Issue IDP Certificate from AdminX portal

1. Log in to your organization's AdminX portal, navigate to Settings > IDP Configuration.

2. In the IdP Configuration screen, copy the certificate details from the Signing Certificate section and save the file with the .cert extension. Use this signing certificate file later to add in the Google Workspace third-party integration section of the SSO integration.

Google Admin Console SSO configurations for auto-generated IDP configuration by AdminX portal

These configurations need to be performed after creating the one-click app Google Workspace integration into the AdminX portal.

Note:

The following steps will be performed by your Google Admin Console administrator.

1. Login to your organization domain's Google Admin Console) site.

2. In the Google Admin console home screen, from the top left corner, click on the Navigation menu. The Navigation menu is displayed in the left pane.

3. In the left pane, navigate to Security > Settings from the Navigation menu. The Security screen is displayed.

4. In the Security screen, scroll down and click Set up single sign-on (SSO) with a third party IdP:

5. In the Set up single sign-on (SSO) with third party identity providers (IDPs) screen, the newly integrated AdminX SAML IDP information is displayed in the SSO profile for your organization section.

• Click on the Edit icon for the newly integrated AdminX SAML IDP information. The Third party identity providers (IDPs) tab is displayed.

4. In the Verification Certificate section, click UPLOAD CERTIFICATE to locate and upload the signing certificate issued by the AdminX portal's identity provider. To get the IDP certificate details, visit Issue Certificate from AdminX portal topic.

• Click SAVE.

Test the SAML Single Sign-On Connection section

caution

These steps should be performed by your Google Workspace domain users only.

1. In your browser, open the Gmail site.

2. On your Gmail site, enter your email id that points to the Google Workspace domain that you have integrated within the AdminX console and click Next.

You will be redirected to the AdminX portal login screen with the barcode to be scanned from your BlockID mobile app.

3. On the BlockID mobile application’s Home screen, click Scan QR.

4. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.

5. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.

6. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication.

7. You will be logged in to your organization’s Google Workspace domain.