Setting up Google Workspace SSO

Availability: Enterprise Edition for users with Owner permissions

Google Workspace is one of the SAML integrations supported in the Enterprise Edition of Faros. This guide contains the setup steps for integrating Google Workspace with Faros in a SaaS deployment. This can include assigning Faros user roles through Google Workspace organizational units or groups.

📘

Authentication: If your company email is hosted by Google (Gmail), you can always use Google's OAuth to log into Faros. This requires no additional set up and is available for all Faros editions.

Authorization: Enterprise customers can manage Faros users via Google Workspace by following the instructions in this document.

Setup

1. Setup a new custom SAML application in Google Workspace Admin panel (official guide). Name it Faros and use our logo (below).

2. Create a valid certificate and download the metadata xml file

3. In a separate browser window log in to Faros and then click on the profile icon in the lower left corner of the window. Click the SSO option under Tenant Settings (available to users with Faros Owner role only).

4. Select Setup SSO connection and choose the "Google" option.

   

5. fill out form as follows:

   • Choose SAML for connection type
   • Note the ACS URL and Entity ID values. You will enter these in Google Workspace.

6. Click Automatic and upload the metadata xml file you downloaded from Google Workspace, or fill in the information manually:

   • Enter the SSO endpoint from Google Workspace used for authenticating
   • Provide the public certificate found in Google Workspace.

6. Back in Google Workspace, enter the ACS URL and Entity ID. Make sure to leave the Start URL blank. Set Name ID type as Email and use Primary Email for the value.

7. (Optional) Setup Organizational unit path as groups mapping. This would allow you to define a specific Faros role for each part of your organization. You can also add First name as firstName and Last name lastName attributes respectively.

📘

Alternatively, if you plan on using Google Workspace groups for Faros roles be sure to select the necessary Google groups and use groups as a App attribute name.

8. Back in Faros, click Proceed and enter the domain of your emails. These will be the emails that can login to Faros via Google Workspace. Once you hit proceed you will be provided a TXT record. Add this to your DNS.

9. Enter your default SSO roles. More information on roles here. Default SSO roles are given to all users added to your Faros app in Google Workspace, unless other roles are specified in the Roles Groups Mapping section (and you have groups attribute configured in Google Workspace SAML). Usually, you will want to put Viewer as the default role here.