Add Google Workspace as an identity provider for Conditional Access

In this topic, you will find instructions on how to add Google Workspace as an identity provider for Portnox™ Conditional Access for Applications.

Prerequisites:

  • You must first integrate your Portnox Cloud instance with your Google Workspace repository as an authentication provider. For more information, see the following topic: Integrate with Google Workspace.

Create a new identity provider configuration in Portnox Cloud

In this section, you will create a new identity provider configuration in Portnox Cloud

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Settings option.

  3. In the Cloud portal left-hand side menu, click on the INTEGRATION SERVICES tile.

  4. In the right-hand side pane, find and click on the IDENTITY PROVIDER heading.

    More options appear under the IDENTITY PROVIDER heading and description.

  5. Click on the Add a new identity provider link and from the drop-down menu, select the Add a SAML identity provider option.

  6. In the Identity provider details section, enter an Identity provider name and optionally a Description.

    In this example, we used the name Google Workspace for the new identity provider but you can use any name you like.

  7. Keep this browser tab open. You will need it later.

Create a new Google Workspace application

In this section, you will access the Google Workspace administrative interface, and use it to create a new application that will handle integration with Portnox Cloud.

  1. In another tab of your browser, open your Google Workspace Admin Console by accessing the following URL: https://admin.google.com/

    From now on, we will call this tab the Google tab.

  2. In the left-hand side menu, click on the following options: Apps > Web and mobile apps

  3. In the top menu of the Web and mobile apps screen, click on the Add app button and select the Add custom SAML app option from the drop-down menu.

  4. On the first page of the Add custom SAML app wizard, enter a name for the integration app and then click on the Continue button.

  5. On the second page of the Add custom SAML app wizard, you will see configuration values for the app.

  6. Keep this browser tab open. You will need it later.

Copy configuration values from the Google tab to the Portnox tab

In this section, you will copy the values displayed by the Google Workspace application setup section and paste them in the relevant fields in Portnox Cloud.

  1. In the Google tab, click on the  ⧉  icon next to the SSO URL field to copy the value.

  2. In the Portnox tab, in the Identity provider properties section, click on the empty field under the Login / Sign on URL heading and paste the value copied from Google.

  3. In the Google tab, click on the  ⧉  icon next to the Entity ID field to copy the value.

  4. In the Portnox tab, in the Identity provider properties section, click on the empty field under the Microsoft Entra Identifier / Issuer heading and paste the value copied from Google.

  5. In the Google tab, click on the  ⧉  icon next to the Certificate field to copy the value.

  6. In the Portnox tab, in the Integration settings section, click on the Insert certificate option, and paste the copied value in the text field below.

  7. In the Google tab, click on the Continue button. Keep this tab open.

Copy configuration values from the Portnox tab to the Google tab

In this section, you will copy the values displayed by Portnox Cloud and paste them in the relevant fields in the Google Workspace application setup section.

  1. In the Portnox tab, in the Integration settings section, click on the  ⧉  icon next to the Identifier (Entity ID) / Issuer URI field to copy the value.

  2. In the Google tab, paste the copied value into the Entity ID field .

  3. In the Portnox tab, in the Integration settings section, click on the  ⧉  icon next to the Assertion Consumer Service URL / Single Sign-on URL field to copy the value.

  4. In the Google tab, paste the copied value into the ACS URL field .

Finalize the configuration

In this section, you will finalize the configuration in the Portnox Cloud and in Google Workspace.

  1. Finalize the configuration in the Portnox tab.
    1. Scroll all the way down to the end of the page, and then click on the Save button.

  2. Finalize the configuration in the Google tab.
    1. In the Name ID section, in the Name ID format, select the EMAIL value, and in the Name ID field, select the Basic Information > Primary email option.

    2. Click on the Continue button.

    3. In the Attributes section, click on the ADD MAPPING button, then in the Select field field, select the Primary email value, and in the App attributes field, type email.

    4. Optional: In the Attributes section, click on the ADD MAPPING button again, then in the Select field field, select the Primary email value, and in the App attributes field, type eduPersonPrincipalName.
      Note: This attribute is only required by some applications such as Datadog.

    5. Click on the Finish button.

Result: You have added Google Workspace as an identity provider for Portnox Conditional Access for Applications.

After configuring the identity provider, check your access privileges in Google Workspace to make sure that your users can access this application. You can also click on the TEST SAML LOGIN button to test your configuration.