Google Workspace - Single Sign-On (Native)

By Emalee Firestein

Learn how to configure Native Google Workspace SSO connections

If requiring authentication with Automated Device Enrollment for iOS enrollments and using Google Workspace as your identity provider, then the Single Sign-On entry must be created using Custom SAML, as the built-in Google Workspace integration is not supported.

Create a Google Workspace Application 

  1. Log in to the Google Developer API Console. Then click CREATE PROJECT.
  2. Fill in your project details, then click Create.
  3. In the sidebar, click Credentials.
  4. In the right side of the window, near the top of the window, click Create Credentials.
  5. From the menu that appears, choose OAuth Client ID. Note that if this is your first time creating a client ID you may be prompted to also configure your consent screen. Learn More

  6. For "Application Type," click the menu and select "Web application".
  7. In the Name field, enter a name such as "Kandji".
  8. In the Authorized JavaScript Origins section, in the URIs field, enter the following:

    For EU instances, enter the following:
  9. In the Authorized redirect URIs section, in the URIs field, enter the following:
    For EU instances, enter the following:
  10. Click Create.
  11.  Copy the text from the Your Client ID field and save this for later use.
  12.  Copy the text from the Your Client Secret field and save this for later use.

Create a Google Workspace Connection 

  1. In Kandji, in the sidebar, click Settings.
  2. Click the Access tab.
  3. Find the Authentication section. SSO is not enabled for your instance if that section does not currently exist.
  4. In the bottom-left corner of the authentication table, click Add.
  5. In the new blade, click Google Workspace.
  6. Customize or use the default Name for the Google Workspace connection (this will be shown on the login page). 
  7. Enter the Google Workspace Domain that the application is registered within.
    1. Note: If migrating to a new Google Workspace domain using the same connection, this value can be changed to match your new domain. Best practice, however, would be creating a new SSO connection using SAML
  8. Enter the Client ID you previously copied from Google Workspace.
  9. Enter the Client Secret you previously copied from Google Workspace.
  10. Click Save.
  11. After saving, a new dialogue box will appear with a link to authorize your connection. A Google Workspace administrator for your domain will need to click the link and complete this process to authorize the application. This box will not go away after authorization is completed.
  12. In the new window that launches, sign in, and click Accept
  13. After clicking Accept, you will be brought to an authorization success page. 
  14. Your connection has now been successfully configured and may be enabled and tested.

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step-by-step instructions. 

Enforcing Single Sign-On

Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.