Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Single Sign-On with Google Workspace (SAML)

            By Emalee Firestein

            Learn how to configure a SAML SSO connection using Google Workspace

            Create a SAML Connection 

            1. In Kandji, navigate to the Settings page.

            2. Click the Access tab.

            3. Find the Authentication section and click the Add button on the bottom left.

            4. In the new pane, click Custom SAML.

            5. Click Next.

              3gvxQkvD9zaA3slb8N54ZP5Ydl4rYTs4iQ

            6. Click Show Advanced Details.

            7. Copy the Assertion Consumer Services URL into a text document for later use.

            8. Copy the Entity ID into a text document for later use.

              J-HhJw9q9ymB70B3DmQBOFtTnsWhvkkLXg

            9. Leaving this tab open, continue to the Google Workspace Admin console following the instructions below. 

            Add the Kandji application to Google Workspace

            1. In a new browser tab, log in to admin.google.com with a Google Workspace admin account.
            2. Click the menu symbol at the top left.

            3. Select Apps.

            4. Select Web and mobile apps.

            5. Click the Add App dropdown.

            6. Select Add custom SAML app.

              ejgprGNX92wvNgtLD5WvhD0NX_smK14rIQ

            7. On the App details page:

              1. Set an App name.

              2. Optionally, add a Description.

              3. Upload an optional App icon.

              4. Click Continue. X9G04ttqJJ_cG98DYmInwhW8hmiSKJQ3kQ

            8. On the Google Identity Provider Details page, use Option 2: Copy the SSO URL, entity ID, and certificate.

              1. Copy the SSO URL and save it to a text document for later use.

              2. Download the Certificate and save it.

              3. Click Continue. x6YHMb95gSoPUUkusqPg0UTACJcazPxojg

            9. On the Service Provider Details page:

              1. In the ACS URL fieldpaste the Kandji Assertion Consumer Service URL you copied earlier.

              2. Paste the Kandji Entity ID you copied earlier in the Entity ID field.

              3. Make sure that the Signed response option is checked.

              4. Set the Name ID Format to UNSPECIFIED.

              5. For NameID, make sure that Basic Information > Primary email is selected.

              6. Click Continue. MGGiqNm2kv4U270jmFLu9Ml-FvSLiXbRUw

            10. On the Attribute Mapping page:

              1. Click on Add Mapping twice so that you can add the following two mappings:

                1. Find the First name attribute in the dropdown menu and paste the following string:

                  schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname


                2. Find the Last name attribute in the dropdown menu and paste the following string:

                  schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

              2. Click Finish.

                EXJ2_UkN5D0FvW8QWbC-GLVDXPVuTJS6og

            11. On the resulting app page, check under User Access to ensure that the service is turned on and that either a user group or organizational unit is selected. 
              1. If it displays OFF for everyone, click on the disclosure triangle in the user access panel to assign a user group or organizational unit to the app. 3KTbSGbrVnzJ4lytfa2Cd3uiBzdp_UW3Tw
              2. Optionally, please select a group or organizational unit to enable the service (by default, it will display all organizational units).
              3. Set service status to ON for everyone.
              4. Click Save.7OjG8vUOBNtxps7rS-7t0_saQcGdWeEySg

            The Required Claim Attributes section of the SAML-based Single Sign-on knowledge base article provides more about Kandji attribute mappings.

            Configure the SAML Connection in Kandji

            1. Go back to the Custom SAML modal in Kandji.

            2. Give the connection a Name.

            3. Paste in the Sign-in URL you copied from Google Workspace.

            4. Upload the certificate you downloaded from Google Workspace.

            5. Ensure that the User ID Attribute is set to the default value of

              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

            6. Ensure that Sign Request is set to Yes.

            7. Ensure that Request Algorithm is set to RSA-SHA256.

            8. Ensure that Sign Request Algorithm Digest is set to SHA 256.

            9. Set the Protocol Binding to HTTP-POST.

            10. Click Save and then click Cancel to exit the configuration.

            Enable the SAML Connection

            Once you have configured the SAML connection in Kandji and your identity provider, you can enable it. For step-by-step instructions, please refer to the Enable and Manage a Connection section of our Single Sign-on support article.

            Enforce Single Sign-on

            Once you have configured at least one Single Sign-on connection, you can disable the standard authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your tenant to authenticate via email/password, Google Sign-in, or Office 365 Sign-in. Please refer to our Single Sign-on support article for step-by-step instructions.

            Add a User to Kandji

            1. Add a user to the Admin Team in Kandji by clicking New User.

            2. Fill in all of the corresponding user information. This user must exist in Google Workspace and must be assigned to the Kandji SSO app in your Google Workspace tenant.

            3. Click Submit.

            4. Once the invite is submitted, close the Invite User window.

            5. Refresh the Access page in Kandji. You should see the user you just added.

            6. Check the user’s email to accept the invitation and log into Kandji with the new SAML SSO connection.

            Preview
            0 of 0