Google Workspace - Single Sign-On (Native)

Learn how to configure Native Google Workspace SSO connections.

Create a Google Workspace Application 

  1. Log in to the Google Developer API Console. then click Create Project.
    Kandji-Support-KB-google-sso-api1@2x-1
  2. Fill in your project details, then click Create.

    Kandji-Support-KB-google-sso-2@2x
  3. In the sidebar, click Credentials.
  4. In the right side of the window, near the top of the window, click Create Credentials.
  5. From the menu that appears, choose OAuth Client ID. Note that if this is your first time creating a client ID you may be prompted to also configure your consent screen. Learn More

    Kandji-Support-KB-google-sso-3@2x
  6. For "Application type," click the menu and select "Web application".
  7. In the Name field, enter a name such as "Kandji".
  8. In the Authorized JavaScript Origins section, in the URIs field, enter the following:
    https://auth.kandji.io

    For EU instances, enter the following:

    https://auth.eu.kandji.io
  9. In the Authorized redirect URIs section, in the URIs field, enter the following: 
    https://auth.kandji.io/login/callback
    For EU instances, enter the following:
    https://auth.eu.kandji.io/login/callback
  10. Click Create.Kandji-Support-google-sso-clientid@2x
  11.  Copy the text from the Your Client ID field and save this for later use.
  12.  Copy the text from the Your Client Secret field and save this for later use.

    Kandji-Support-KB-google-sso-clientsecret@2x

Create a Google Workspace Connection 

  1. In Kandji, in the sidebar, click Settings.
  2. Click the Access tab.
  3. Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
  4. In the bottom-left corner of the authentication table, click Add.

    Kandji-Support-KB-sso-step1-2@2x-2
  5. In the new blade, click Google Workspace.
    Kandji-Support-KB-google-sso-Kandji-1@2x
  6. Customize or use the default Name for the Google Workspace connection (this will be shown on the login page). 
  7. Enter the Google Workspace Domain that the application is registered within.
  8. Enter the Client ID you previously copied from Google Workspace.
  9. Enter the Client Secret you previously copied from Google Workspace.
  10. Click Save.
    Kandji-Support-KB-google-sso-Kandji-2 2@2x
  11. After saving, a new dialogue box will appear with a link to authorize your connection. A Google Workspace administrator for your domain will need to click the link and complete this process to authorize the application. This box will not go away after authorization is completed. 
    Kandji-Support-KB-google-sso-Kandji-3@2x
  12. In the new window that launches, sign in, and click accept
  13. After clicking Accept, you will be brought to an authorization success page. 
  14. Your connection has now been successfully configured and may be enabled and tested. 
    1. Enable the SAML Connection

      Once you have configured the SAML connection in both Kandji, and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step by step instructions. 

    Enforcing Single Sign-On

    Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.