Google Workspace - Single Sign-On (Native)

By Emalee Firestein

Learn how to configure Native Google Workspace SSO connections

If you're requiring authentication with Automated Device Enrollment for iOS enrollments and using Google Workspace as your identity provider, the Single Sign-On entry must be created using Custom SAML. The built-in Google Workspace integration is not supported.

Create a Google Workspace Application 

  1. Log in to the Google Developer API Console. Then click CREATE PROJECT.
  2. Enter a Project name.
  3. Select your Organization.
  4. Select your Location.
  5. Click Create.
  6. In the sidebar, click Credentials.
  7. On the right side of the window, near the top, click Create Credentials. If this is your first time creating a client ID, you may also be prompted to configure your consent screen.
  8. From the menu that appears, choose OAuth Client ID.
  9. For "Application Type," click the menu and select "Web application".
  10. In the Name field, enter a Name for your OAuth client.
  11. In the Authorized JavaScript Origins section, in the URIs field, enter the following:
    For US tenants:

    For EU tenants:
  12. In the Authorized redirect URIs section, in the URIs field, enter the following:
    For US tenants:
    For EU tenants:
  13. Click Create.
  14.  Copy the text from the Client ID field and save it for later use.
  15.  Copy the text from the Client Secret field and save it for later use.

Create a Google Workspace Connection 

  1. In Kandji, in the sidebar, click Settings.
  2. Click the Access tab.
  3. Find the Authentication section.
  4. In the bottom-left corner of the authentication table, click Add.
  5. In the new blade, click Google Workspace.
  6. Customize or use the default Name for the Google Workspace connection (this will be shown on the login page). 
  7. Enter the Google Workspace Domain that the application is registered within.
    If migrating to a new Google Workspace domain using the same connection, this value can be changed to match your new domain. Best practice, however, would be to create a new SSO connection using SAML
  8. Enter the Client ID you previously copied from Google Workspace.
  9. Enter the Client Secret you previously copied from Google Workspace.
  10. Click Save.

  11. After saving, a new dialogue box will appear with a link to authorize your connection. A Google Workspace administrator for your domain must click the link and complete this process to authorize the application. This box will not go away after authorization is completed.
  12. In the new window that launches, sign in and click Accept
  13. After clicking Accept, you will be brought to an authorization success page. 
  14. Your connection has now been successfully configured and may be enabled and tested.

Enable the SAML Connection

Once you have configured the SAML connection in Kandji and your identity provider, you can enable it. For step-by-step instructions, please refer to our Single Sign-On support article. 

Enforce Single Sign-On

Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your tenant to log in via Email/Password, Google Sign-in, or Office 365 Sign-in. Please refer to our Single Sign-On support article for step-by-step instructions.