Configuration Guide for SSO with SAML for integration between Google Workspace and Elven Platform

SSO with SAML is a solution that simplifies user access to multiple platforms using a single authentication. In this guide, we will detail how to configure SSO between Google Workspace and the Elven Platform, providing security and efficiency in identity and access management.

SSO Configuration in Google Workspace

To begin, access the Google Workspace dashboard and navigate to Apps > Web and mobile apps. Here, you can add new applications, so click on Add App > Add Custom SAML App. This will allow you to configure a custom integration with the Elven Platform. Enter the suggested name, Elven Platform, and if desired, add a description and the Elven Platform icon or avatar to make it visually easier for users to identify. After filling in this information, click CONTINUE.

In the next step, the Entity ID and the certificate required to authenticate the connection will be generated. Download the certificate and copy the Entity ID, as they will be used later.

Integration with the Elven Platform

With the Google Workspace data in hand, access the Elven Platform and go to Settings > Organization. In the Single Sign-On tab, enter the Sign In URL obtained from Workspace in the corresponding field and upload the downloaded certificate.

Additionally, copy the information such as ACS URL and Entity ID from the Elven Platform and paste it into the corresponding fields in Google Workspace. In “Name ID”, keep the value “Basic Information > Primary email”.

Proceed to the final step and configure the mapping as follows:

This exchange of information is essential for both platforms to trust and validate authentication requests, ensuring that SSO works smoothly and securely.

User Access Customization

In Google Workspace, you can decide who will have access to the application. Access the created app and click on User Access. Here, enable access for all users by selecting On for everyone, or configure a specific group. This ensures that only authorized people can use SSO to access the Elven Platform. After saving the settings, wait a few minutes for the integration to become active.

User Synchronization in the Elven Platform

To synchronize users from Google Workspace with the Elven Platform, you need to configure a service account in Google Cloud. In the Google Cloud Console, go to IAM & Admin > Service Accounts and click on Create Service Account. Name the account “Elven Platform SSO” and complete the creation.

In the created account, go to the KEYS tab and click on ADD KEY > Create New Key, selecting the JSON format. This will generate a file with the keys required to authenticate the synchronization. Remember to store this file securely.

Then, select the Details tab and click on Advanced settings, and take note of the Client ID, as it will be used in future steps.

Access Delegation in Google Workspace

For the service account to work properly, you need to authorize domain-wide delegation. In the Google Workspace Admin Console, go to Security > Data and access control > API controls and click on MANAGE DOMAIN WIDE DELEGATION.

Add a new client using the previously generated Client ID and enter the required scopes for reading user and group information:

• https://www.googleapis.com/auth/admin.directory.group.readonly

• https://www.googleapis.com/auth/admin.directory.group.member.readonly

• https://www.googleapis.com/auth/admin.directory.user.readonly

These scopes ensure that the Elven Platform can synchronize users and groups from Google Workspace without compromising sensitive data.

Enabling the Admin SDK API

Still in the Google Cloud Console, enable the Admin SDK API by searching for it in the API library. This is essential because the Elven Platform uses this API to manage and synchronize user and group information.

Finalizing the Configuration

Back in the Elven Platform, go to the SSO settings and enter the obtained information:

• The workspace admin email.

• The user group email configured in Workspace for synchronization.

Upload the JSON file with the previously created keys and click on SAVE INTEGRATION. With this, the synchronization will be active, and the users from the defined group in Google Workspace will be automatically added to the organization in the Elven Platform with the default role of “member”. If you need to change the permissions, you can adjust them later.

Accessing the Elven Platform via SSO

To access the Elven Platform via SSO using Google Workspace, just follow a simple and intuitive path. On the home page of your Google Chrome browser, click the Google apps icon (located in the upper right corner, next to your profile photo). Then, locate and click the Elven Platform icon. This will automatically start the login process with single sign-on (SSO), securely and conveniently connecting you to your Elven Platform account. This approach improves the user experience by eliminating the need for multiple logins, ensuring greater speed and security in your access to the platform.

Glossary of Technical Terms

ACS URL (Assertion Consumer Service URL): An endpoint provided by the Elven Platform to receive authentication responses from the Identity Provider (IdP). It is essential for validating the user's login during the SAML process.

Admin SDK API: A Google API that allows the management of users, groups, and other directory settings in Google Workspace. It is used to synchronize data between Workspace and the Elven Platform.

API Controls: Security settings in Google Workspace that allow you to manage API access to user and group information. Fundamental for domain delegation.

Client ID: A unique identifier of a service account created in Google Cloud. It is used to authorize domain-wide delegation and link the account to SSO.

Domain-Wide Delegation: Permission granted to a service account to access user and group data on behalf of the domain administrator. Essential for user synchronization.

Entity ID: A unique identifier of the SAML application, used to distinguish the service in SSO integrations. Both Google Workspace and the Elven Platform have specific Entity IDs.

Google Cloud Console: The Google Cloud interface for managing resources such as service accounts, APIs, and settings related to Google Workspace.

Google Workspace: Google’s productivity platform, which includes tools like Gmail, Google Drive, and Google Calendar. It also serves as the Identity Provider (IdP) for SAML integrations.

IdP (Identity Provider): The identity provider responsible for authenticating users in an SSO system. In this integration, Google Workspace acts as the IdP.

JSON Key: A file containing the credentials of the service account in Google Cloud, used for authentication in external services like user synchronization in the Elven Platform.

OAuth Scopes: Permissions that define the level of access an application or service can have to Google Workspace data. Examples include reading user and group information.

Primary Email: The main email address of the user in Google Workspace, used as the default identifier in SSO integrations.

Role: A permission level assigned to a user in a platform, such as “member,” which defines access levels and allowed actions.

SAML (Security Assertion Markup Language): An open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). It is the protocol used in the configured SSO.

Service Account: An account in Google Cloud that allows applications to access resources and APIs on behalf of the administrator or domain.