Setting up Google Workspace SSO

Availability: Enterprise Edition for users with Owner permissions

Google Workspace is one of the SAML integrations supported in the Enterprise Edition of Faros. This doc contains the setup steps for integrating Google Workspace with Faros in a SaaS deployment. This can include assigning Faros user roles through Google Workspace organizational units or groups.

Setup

  1. Setup a new custom SAML application in Google Workspace Admin panel (official guide). Name it Faros and use our logo (below).
Custom SAML applicationCustom SAML application

Custom SAML application

Faros LogoFaros Logo

Faros Logo

  1. Create a valid certificate and download the metadata xml file
  1. Start the setup in Faros to get the corresponding configuration. Open Faros in a new tab and navigate to your profile and click the SSO option under Workspace (Faros Owner role required)
  1. Select Add New and fill out form as follows:

    • Choose SAML for connection type
    • Note the ACS URL and Entity ID values. You will enter these in Google Workspace.
  2. Click Automatic and upload the metadata xml file you downloaded from Google Workspace, or fill in the information manually:

    • Enter the SSO endpoint from Google Workspace used for authenticating
    • Provide the public certificate found in Google Workspace.
Automatic Metadata uploadAutomatic Metadata upload

Automatic Metadata upload

  1. Back in Google Workspace, enter the ACS URL and Entity ID. Make sure to leave the Start URL blank. Set Name ID type as Email and use Primary Email for the value.
  1. (Optional) Setup Organizational unit path as groups mapping. This would allow you to define a specific Faros role for each part of your organization. You can also add First name as firstName and Last name lastName attributes respectively.

๐Ÿ“˜

Alternatively, if you plan on using Google Workspace groups for Faros roles be sure to select the necessary Google groups and use groups as a App attribute name.

  1. Back in Faros, click Proceed and enter the domain of your emails. These will be the emails that can login to Faros via Google Workspace. Once you hit proceed you will be provided a TXT record. Add this to your DNS.
  1. Enter your default SSO roles. More information on roles here. Default SSO roles are given to all users added to your Faros app in Google Workspace, unless other roles are specified in the Roles Groups Mapping section (and you have groups attribute configured in Google Workspace SAML). Usually, you will want to put User as default role here; if you want your base user have Analyst capabilities, put both User and Analyst.

โ—๏ธ

Setting up roles

Important: All roles must include the User role to get baseline functionality. For example an analyst should get both the User and Analyst roles.


Did this page help you?