Single Sign-On with Google Workspace (SAML)

Learn how to configure a SAML SSO connection using Google Workspace

Create a SAML Connection 

  1. In Kandji, navigate to the Settings page.

  2. Click the Access tab.

  3. Find the Authentication section and click the Add button on the bottom left. (If that section does not currently exist, SSO is not enabled for your instance.)

  4. In the new pane, click Custom SAML.

  5. Click Next.

  6. Click Show Advanced Details.

  7. Copy the Assertion Consumer Services URL into a text document for later use.

  8. Copy the Entity ID into a text document for later use.

  9. Leaving this tab open, continue to the AzureAD instructions below. 

Add the Kandji application to Google Workspace

  1. In a new browser tab, log in to admin.google.com with a Google Workspace admin account.

  2. Click the menu symbol at the top left.

  3. Select Apps.

  4. Select Web and mobile apps.

  5. Click the Add App dropdown.

  6. Select Add custom SAML app.

  7. On the App details page:

    1. Set an App name.

    2. Set an optional App icon.

    3. Click Continue.

  8. On the Google Identity Provider Details page, use Option 2: Copy the SSO URL, entity ID, and certificate.

    1. Copy the SSO URL and save it to a text document for later use.

    2. Download the certificate and save it for use in Kandji.

    3. Click Continue.

  9. On the Service Provider Details page:

    1. In the ACS URL field, paste the Kandji Assertion Consumer Service URL you copied earlier.

    2. In the Entity ID field, paste the Kandji Entity ID you copied earlier.

    3. Make sure that the Signed response option is checked.

    4. Set the Name ID Format to UNSPECIFIED.

    5. For NameID, make sure that Basic Information > Primary email is selected.

  10. On the Attribute Mapping page: 
    1. Click on Add Mapping twice so that you can add the following two mappings:

      1. Find the First name attribute in the dropdown menu and paste the following string:

        schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
      2. Find the Last name attribute in the dropdown menu and paste the following string:

        schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    2. Click Finish.

  11. Click on View details under User Access to ensure that the service is turned on and that either a user group or organizational unit is selected.

More about Kandji attribute mappings can be found in the Required Claim Attributes section of the SAML-based Single Sign-on knowledge base article.

Configure the SAML Connection in Kandji

  1. Go back to the Custom SAML integration in Kandji.

  2. Give the connection a name.

  3. Paste in the Sign In URL you copied from Google Workspace.

  4. Upload the Google Workspace certificate you downloaded earlier.

  5. Ensure that the User ID Attribute is set to the default value of:

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  6. Ensure that Sign Request is set to Yes.

  7. Ensure that Request Algorithm is set to RSA-SHA256.

  8. Ensure that Sign Request Algorithm Digest is set to SHA 256.

  9. Set the Protocol Binding to HTTP-POST.

  10. Save the connection then click Cancel to close the configuration pane.

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-On support article for step-by-step instructions.  

Enforcing Single Sign-on

Once you have configured at least one single sign-on connection, you can disable the standard authentication connection. Doing so will disable the ability for Kandji administrators in your instance to authentication via email/password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-on support article for step-by-step instructions.

 

 Add a Test User

  1. Add a test user to the Admin Team in Kandji by clicking New User.

  2. Fill in all of the corresponding user information. This user must exist in Google Workspace and must be assigned to the Google Workspace SSO app in your Google Workspace tenant.

  3. Close the user window once the invite is submitted.

  4. Refresh the Access page in Kandji. You should see the user who was just added.

  5. Go to the user’s email to accept the invite and log in with the new SAML SSO connection.