This set up should only be done by someone with administration access to your school's Google Workspace account.
This is a premium feature available with a full subscription to iAM Compliant
iAM Compliant - Google Workspace Install Instructions
Introduction
iAM Compliant allows you to configure single sign-on (SSO) functionality so that Google Workspace users can be added and managed directly from a Google Workspace application. Once the integration between iAM and Google Workspace is configured, an administrator can assign new users to the iAM application from Google Workspace. User details are then synced automatically between the two systems and the Google users can then log in to their iAM account using their Google work/organisation login.
Once an iAM user is associated with an Google account, it is not possible to update their user details from within the iAM Compliant user administration screen or user profile page. Instead, changes to user details are fed through automatically from Google on a scheduled basis.
This document describes how to configure an iAM account to link with one or more Google Workspace accounts.
Prerequisites
- The Single Sign-on feature is only available to iAM Compliant accounts with a full subscription. Contact support to have the feature turned on for your account.
- Your iAM account should be on a plan with sufficient user capacity.
- You should have a Google Workspace account with administration access to the Google Admin console.
- You MUST be familiar with configuring a Google Workspace account and managing users within it.
To avoid the creation of duplicate accounts, please check that any existing iAM users in your account have the same details (i.e. email and name) as they do in your Google Workspace.
Configuration
1. Create a new iAM Compliant SAML app in your Google Workspace
The first step is to create a custom SAML app- Open your Google Admin console.
- Go to Menu > Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
- Enter the app name and, optionally, upload an icon for your app. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.
- An iAM Compliant logo is available here:
- Click continue.
- On the Google Identity Provider details page, get the setup information needed using option 2:
- Copy the SSO URL, Entity ID, and SHA-256 fingerprint.
2. Create an SSO Configuration
This step sets up a configuration that enables iAM to recognise your users both when they sign in using single sign-on and when they are submitted to iAM from your Google Workspace. First log in to your iAM account as an account administrator and go to the account settings for your organisation.
- Click the “Single Sign-on” link in the right-hand sub-menu.
- To create a new configuration click the Add Config button and select the option for Google
- Enter a display name for your configuration. Only account owners will see this name but it makes sense to call it something that relates to your SAML app (e.g. “Google SSO” or “Google SSO for [LOCATION NAME]” if you are working with multiple locations).
- Enter the values copied from your SAML app (1.5.a above) for "SSO Service URL", "Entity ID", and "Certificate fingerprint".
- Click Add Config
3. Configure locations
The following applies if you have more than one location in your iAM organisation. If your iAM organisation only has one location you can ignore this step - you will not see any options for applicable locations here.
- Scroll down to select which locations your SSO users should be granted access to. Users added to iAM from your Google Workspace will be given access to the locations you select here. Click Add location to configure your locations.
- If you prefer, you can choose not to assign your users to any location automatically; instead you will need to manually assign their location(s) after they have been added to you iAM account by the provisioning process.
- When adding locations to an iAM SSO config, you can also limit the locations assigned to users by one or more email domains.
- With email domains configured, only users provisioned with matching email domains will be assigned to a location. This can be used to assign specific sets of users to multiple locations.
4. Finish creating your custom SAML app
- Go back to your custom SAML app (1.5 above)
- Copy the values provided for "ACS URL" (this is the same for each config) and "ENTITY ID" (this is unique to your config) from your iAM account and then paste them into your SAML app.
- Click continue.
- It is not necessary to add any mappings, and at this time we cannot support group provisioning, please skip this step. Click finish.
- Please note: Google may now show you a 404 error. Your app will have been created on the central Google server but hasn't spread to the local Google server you're talking to. Please try waiting for around 5 minutes before refreshing the page to be able to see your SAML app.
5. Create an OAuth client
To create an OAuth 2.0 client ID in the console:
- Go to the Google Cloud Platform Console.
- From the projects list, select a project or create a new one.
- If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
- On the left, click Credentials.
- Click + Create Credentials, then select OAuth client ID.
- If this is your first time creating a client ID, you will be asked to configure your consent screen first. Complete the steps and return to create credentials. You won't be prompted to configure the consent screen after you do it the first time.
-
Select "web application" as the application type and provide a name.
- Add the authorised redirect URI provided in your iAM Compliant account.
- Click Create.
- You will now be shown your Oauth client credentials.
- Copy the "Client ID" and "Client Secret".
6. Turn on your iAM Compliant SAML app
Head back to your custom SAML app (4.4.a above).
Please note: if you wish to restrict the google workspace users that can sign in with this SAML app, this must be done with organisational units.
- Click to expand the User access section.
- Set the service status to on for the organisational unit(s) you want users provisioned from.
- Click Save.
7. Activate the Admin SDK API
To enable user provisioning, you must first enable the Admin SDK API
- Go to the Google Cloud Platform Console.
- If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
- On the left, click Library.
- Search for "Admin SDK API" and select the top result
- Click the button to enable the API
- Your users can now start to be pulled through to iAM Compliant.
8. Authorise user provisioning
- In your iAM Compliant account, you can now paste in your Client ID and Client Secret.
- Click Update Oauth Credentials.
- You should now see a purple button which allows you to authorise user provisioning, click it and sign in to your Google account.
- Click Allow to grant access.
- Your Organisational Units will now be pulled through into iAM Compliant. Select the ones that have access to your SAML application and then click update.
- After updating the 'Trigger user provisioning button will now be active. Click it to start provisioning users from your selected Organisational Units.
Congratulations, you have successfully configured single sign on with Google for your users.