search

Configure SSO between Cerby and Google Workspace with SAML

This article describes how to configure Google Workspace as your IdP to enable SSO for Cerby using a custom SAML app.

When you create a Cerby workspace, you can configure Google as your identity provider (IdP) to provide single sign-on (SSO) authentication for the users of your corporate directory. This integration enables seamless authentication, as users securely log in to Cerby with one set of credentials.

This article describes how to configure your Google Workspace as the primary IdP to enable SSO using a custom security assertion markup language (SAML) app for Cerby.

hashtag
Supported features

The following are the supported features of configuring SSO between Cerby and Google Workspace:

  • Control who has access to Cerby from Google Workspace.

  • Service provider-initiated authentication flow: This authentication flow occurs when users attempt to log in to the app from Cerby.

hashtag
Requirements

The following are the requirements to configure SSO between Cerby and Google:

  • A Google Workspace tenant

  • A user account in Google Workspace with the Super Administrator role in your tenant

  • A user account in Cerby with the workspaceOwner role

  • An invitation sent from Cerby Support via email to create a workspace ​IMPORTANT: If you have not received an invitation, send an email to [email protected]envelope with your request.

hashtag
Configure SSO between Cerby and Google Workspace with SAML

To configure SSO between Cerby and Google Workspace with a custom SAML app, you must complete the following main steps:

  1. Set up a workspace in Cerby

  2. Add a custom SAML app in Google Workspace

  3. Retrieve metadata information from Google Workspace and enter it in Cerby

circle-info

NOTE: Depending on the use case, you may be redirected to the Google authentication portal if a session has not been established.

The following sections describe each main step.

hashtag
1. Set up a new workspace in Cerby

To set up a new workspace in Cerby, complete the following steps:

  1. Click the Create my workspace button from the invitation email you received from Cerby. The Welcome to Cerby page is displayed, as shown in Figure 1. ​

Figure 1. Welcome to Cerby page

  1. Click the Continue with Google Workspace button. The Create your workspace page is displayed, as shown in Figure 2.

Figure 2. Create your workspace page

  1. Enter the name of your workspace in the Workspace name field.

  2. Click the Create workspace button. The Configure SSO through Google Workspace App page is displayed with instructions to configure the Cerby app in your Google Workspace tenant, as shown in Figure 3.

Figure 3. Configure SSO through Google Workspace App page

triangle-exclamation

IMPORTANT: Keep the Configure SSO through Google Workspace App page open because it contains the required values that you must provide to Google and Cerby to complete the configuration.

The next step is 2. Add a custom SAML app in Google Workspace.

hashtag
2. Add a custom SAML app in Google Workspace

To add a custom SAML app in Google Workspace, complete the following steps:

  1. Log in to the Google Admin Consolearrow-up-right of your organization in a new browser tab.

  2. Select the Web and mobile apps option from theApps drop-down list in the left menu. The Web and mobile apps page is displayed.

  3. Add a custom SAML app by completing the following steps:

    1. Select the Add custom SAML app option from the Add app drop-down menu. The Add custom SAML app page is displayed with a wizard on the App details step, as shown in Figure 4.

Figure 4. Add custom SAML app page in the Google Admin Console

Figure 5. Cerby logo

4. Click the CONTINUE button. The Google Identity Provider details step of the wizard is displayed. 5. Click the DOWNLOAD METADATA button to download an XML file that contains all the information Cerby needs to configure the SAML connection. ​IMPORTANT: Make sure you download the XML file, because you need it later.

  1. Click the CONTINUE button. The Service provider details step of the wizard is displayed.

  2. Copy the values from the browser tab you left open when completing step 1. Set up a new workspace in Cerby to paste them into their corresponding fields in the Google Admin Console, as shown in Figure 6 :

    • ACS URL

    • Entity ID

Figure 6. Required values in the Service provider details step

  1. Enter https://app.cerby.com in the Start URL (optional) field.

  2. Click the CONTINUE button. The Attribute mapping step of the wizard is displayed.

  3. Map the required attributes from Table 1. Attribute mappings in Google Directory by completing the following steps: 1. Click the ADD MAPPING button. A new row is displayed with a drop-down menu and an empty field. 2. Select the corresponding option from the drop-down menu in the Google Directory attributes column. 3. Enter the corresponding value in the empty field of the App attributes column. Figure 7 shows how the page looks with all the mapping attributes.

Figure 7. Attribute mappings in Google Directory

  1. Click the FINISH button. The page closes, and the Cerby SAML app details page is displayed.

  2. Turn on the Cerby SAML app for all users or specific organizations by following the instructions in the section Step 2: Turn on your SAML apparrow-up-right of the official Google Workspace documentation.

The next step is 3. Retrieve metadata information from Google Workspace and enter it in Cerby.

hashtag
3. Retrieve metadata information from Google Workspace and enter it in Cerby

To retrieve metadata information from Google Workspace and enter it in Cerby, complete the following steps from the Configure SSO through Google Workspace App page you left open:

  1. Upload the XML file you downloaded previously in the Metadata XML file section.

  2. Select the I have already assigned users or groups to the application option.

  3. Click the Finish Configuration button. A success message is displayed.

Now you are done. You can proceed to log in to your Cerbyarrow-up-right workspace.

circle-info

NOTE: The SAML-based integration leverages Google only for authentication. To assign permissions for Cerby, users must do so directly in Cerby.

triangle-exclamation

IMPORTANT : This integration does not currently support IdP-initiated login from Google, so the tile in the Google Workspace dashboard created automatically after completing the configuration will not work. You can add a bookmark for all users and enrolled browsers pointing to your Cerby workspace. Just follow the instructions to add a bookmark in the official documentation Manage bookmarksarrow-up-right. The bookmark URL is https://<workspace-name>.cerby.com, where you must include your workspace name; for example, if your workspace name is Cerby , the bookmark URL must be https://cerby.cerby.com.

hashtag
Table 1. Attribute mappings in Google Directory

The following table shows the attribute mappings in Google Directory you must configure as part of step 2. Add a SAML-based custom app to your Google Workspace:

Google Directory attributes

App attributes

Name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Family Name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Email Address

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Table 1. Attribute mappings in Google Directory

hashtag
Troubleshooting: “Error: app_not_configured_for_user” message

When you complete the configuration described in this article and immediately try to access your Cerby workspace, you may encounter the “Error: app_not_configured_for_user” message, as shown in Figure 7.

Figure 7. “Error: app_not_configured_for_user” message in your web browser

This issue happens because changes in the Google Admin console take time to propagate across services and users. For more information, read the official documentation How changes propagate to Google servicesarrow-up-right.

To solve the issue, refresh the page or log out and then log in to your Google account.

Last updated