Google Workspace - Single Sign-On (Native)

Learn how to configure Native Google Workspace SSO connections.

Create a Google Workspace Application 

  1. Log in to the Google Developer API Console.

  2. Select Create Project.
    Kandji-Support-KB-google-sso-api1@2x-1
  3. Fill in your project details, click Create 

    Kandji-Support-KB-google-sso-2@2x
  4. Click Create Credentials.
  5. Click OAuth Client ID. Note that if this is your first time creating a client ID you may be prompted to also configure your consent screen. Learn More

    Kandji-Support-KB-google-sso-3@2x
  6. For application Type, select Web Application.
  7. Give the client a Name such as "Kandji".
  8. Input the following URI under Authorized JavaScript Origins.
    https://auth.kandji.io
  9. Input the following URI under Authorized redirect URIs.
    https://auth.kandji.io/login/callback
  10. Click Create.Kandji-Support-google-sso-clientid@2x
  11.  Copy the Client ID from the new modal and save this for later use.
  12.  Copy the Client Secret from the new modal and save this for later use.

    Kandji-Support-KB-google-sso-clientsecret@2x

Create a Google Workspace Connection 

  1. Navigate to the Settings.
  2. Click the Access tab.
  3. Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
  4. Click the Add button on the bottom-left of the authentication table.

    Kandji-Support-KB-sso-step1-2@2x-2
  5. In the new blade, click on the Google Workspace connection option.
    Kandji-Support-KB-google-sso-Kandji-1@2x
  6. Customize or use the default Name for the Google Workspace connection (this will be shown on the login page). 
  7. Enter the Google Workspace Domain that the application is registered within.
  8. Enter the Client ID you previously copied from Google Workspace.
  9. Enter the Client Secret you previously copied from Google Workspace.
  10. Click Save.
    Kandji-Support-KB-google-sso-Kandji-2 2@2x
  11. After saving, a new dialogue box will appear with a link to authorize your connection. A Google Workspace administrator for your domain will need to click the link and complete this process to authorize the application. This box will not go away after authorization is completed. 
    Kandji-Support-KB-google-sso-Kandji-3@2x
  12. In the new window that launches, sign in, and click accept
  13. After clicking Accept, you will be brought to an authorization success page. 
  14. Your connection has now been successfully configured and may be enabled and tested. 
    1. Enable the SAML Connection

      Once you have configured the SAML connection in both Kandji, and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step by step instructions. 

    Enforcing Single Sign-On

    Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.