This guide provides information on how to:
-
Set up Beyond Identity as a passwordless authentication solution for your Google Workspace environment.
-
Set up Google Workspace to use Beyond Identity as an Identity Provider.
Before you Begin
This section enumerates some items you should be aware of before configuring Google as an SSO provider with Beyond Identity.
-
Users who are administrators in Google Workspace cannot use IdP Delegation and must always use their Google password as their primary factor of authentication.
-
Multi-factor options are limited in Google Workspace in comparison to most SSO providers. Beyond Identity cannot be used as a multi-factor step-up option for continuous authentication. For multi-factor options in Google Workspace, refer to the 2-Step Verification Methods under the Google support page.
-
Google does not currently support Beyond Identity for SCIM provisioning. The Beyond Identity team is currently working to get the BI solution into the Google Marketplace to enable this functionality.
Prerequisites
Ensure that you have the following:
-
A Google Administrator account to:
-
Add/edit users into the Google Directory.
-
Add/edit Identity Providers in Security > Authentication > Set up single-on (SSO) with a 3rd part IdP.
-
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name |
|
Beyond Identity Admin Portal Application credentials SSO URL SSO Entity ID SSO X.509 Signing Certificate |
|
Beyond Identity User Portal Application credentials SSO URL SSO Entity ID SSO X.509 Signing Certificate |
|
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
|
Information you will receive from the Beyond Identity Field Team:
Beyond Identity Admin Console SAML URLs: Identifier/Entity ID Reply / ACS URL Start URL |
[From Beyond Identity SE] https://admin.byndid.com/auth/saml/<Conn-ID>/sso/metadata.xml https://admin.byndid.com/auth/saml/<Conn-ID>/sso https://admin.byndid.com/auth/?org_id=<bi-tenant-name> |
Beyond Identity Org ID / Tenant Name |
[From Beyond Identity SE] |
SCIM API endpoints |
To configure Beyond Identity as the IdP in Google, follow the steps below. Once these steps are completed, you can enable Beyond Identity for test users.
-
Create groups for Beyond Identity Admins and Test users
-
Configure the Beyond Identity Admin Console and User Console as Service Provider apps
Step 1. Set up GOOGLE DIRECTORY Groups
Beyond Identity service assignment is required for IT Admin and end users. The following steps describe how to create BI_Admins, and BI_Users groups and assign users to those groups.
-
Log into Google Workspace admin console (https://admin.google.com) as an Administrator.
-
On the homepage of the Google Workspace Admin console, select Directory > Groups.
-
On the “Groups” page, click Create group.
-
Create a new Beyond Identity Admins group by selecting the following parameters.
-
Name: BI_Admins
-
Description: Beyond Identity Admins
-
Group Email: bi_admins@<customer-domain-name>
-
Group Owner: Select the appropriate member as the group owner.
-
Click Next to create the group.
-
-
On the “Group Settings” page set following parameters:
-
Deselect all permissions from “External”, “Entire Organization”, and “Group Members” columns.
-
Only “Group Owners” & “Group Manager” should have permissions for access settings and membership settings.
-
Who Can join the group: Only Invited Users
-
Click Next to create the group.
-
-
Add members to the “BI_Users” group.
-
On the “Groups” page, click Create group.
-
Create a new Beyond Identity Admins group by selecting the following parameters.
-
Name: BI_Users
-
Description: Beyond Identity Users
-
Group Email: bi_users@<customer-domain-name>
-
Group Owner: Select the appropriate member as the group owner.
-
Click Create Group.
-
-
On the “Group Settings” Page, set the following parameters:
-
Deselect all permissions from “External”, “Entire Organization”, and “Group Members” columns.
-
Only “Group Owners” and “Group Manager” should have permissions for access settings and membership settings.
-
Who Can join the group: Only invited users
-
Click Create Group.
-
-
For both the BI_Admins and BI_Users groups, click on the group name and then the group information tab. Set the label as “Security”. (There may be additional labels here.)
Step 2. Google SSO Information for Beyond Identity APPS
-
Log into Google Workspace admin console (https://admin.google.com) as an Administrator.
-
On the homepage of the Google Workspace Admin console, select Security -> SSO with SAML Applications.
-
Note the SSO URL and Entity ID and download the certificate or download the metadata file.
Step 3. Set up Admin Console Access in Beyond Identity Support Console
-
Provide the “SSO URL”, “Entity ID” and “SAML Signing Certificate” or “IdP Metadata” file obtained from the previous step to the Beyond Identity field team. The Beyond Identity team will collect and populate those values using Beyond Identity Support Console.
Step 4. Setup Beyond Identity Admin Console Application in Google
-
On the homepage of the Google Workspace Admin console, select Apps > Web and Mobile Apps.
-
Select Add App, and then select Add custom SAML app from the drop-down menu.
-
Name the application and app icon as follows:
-
App Name: “Beyond Identity Admin Console”
-
App icon: Upload Beyond Identity Logo provided by Beyond Identity field team.
-
Click Continue.
-
-
On the Google Identity Provider Details tab, click on the Continue button in the lower-right corner to go to the next step.
-
On the “Service Provider Details” tab populate following fields.
-
ACS URL: (e.g., https://admin.byndid.com/auth/saml/<Connection-ID>/sso) Enter value provided by Beyond Identity Field team.
-
Entity ID: (e.g., https://admin.byndid.com/auth/saml/<Connection-ID>/sso/metadata.xml) Enter value provided by Beyond Identity Field team.
-
Start URL: https://admin.byndid.com/auth/?org_id=<BI_Tenant_Name> (Replace BI_Tenant_Name with the value provided by BI Field team)
-
Name ID Format: EMAIL (select from the drop-down menu)
-
Name ID: Basic Information > Primary email (select from the drop-down menu)
-
Click Continue to go to the next step.
-
-
On the “Attribute mapping” tab, select Finish. Note there is no need to map any attributes.
-
On the Beyond Identity Admin Console App’s page under “user access”, click on the down arrow to configure “service status”.
-
Under “Organization Units”, select Off for everyone.
-
Under “Groups”, search for “BI_Admins” group and set “Service Status” to ON.
-
Click Save.
-
-
After these values are provisioned, log in and confirm that the Admin (the user from the BI_Admins group) can log into the Beyond Identity Admin Console (https://admin.byndid.com).
Step 5. Set up the Beyond Identity User Console Authentication
-
Once logged into Beyond Identity Admin Console, click Settings > SSO > User Console SSO Integration and click Edit.
-
Configure the following fields for User Console Authentication.
-
Click Add SAML SSO.
-
Click Upload XML or populate the following fields as shown below:Name: Google SSO
-
IdP Url: https://accounts.google.com/o/saml2/idp?idpid=xxxxx (Provided by the customer as SSO URL)
-
IdP Entity Id: https://accounts.google.com/o/saml2?idpid=xxxx (Provided by the customer as Entity ID)
-
Name ID Format: emailAddress (select from the pull-down menu)
-
Subject User Attribute: UserName
-
-
Upload the Certificate (Base64) (Provided by the customer as Entity ID)
-
-
Click Save Changes.
-
Make note of the “SP Single Sign-on URL” and “SP Issuer” fields that are required in Step 6.6.
Step 6. Set up the Beyond Identity User Console Application in Google
-
Log into the Google Workspace Admin Console (https://admin.google.com) as an Administrator.
-
On the homepage of the Google Workspace Admin console, select Apps > Web and Mobile Apps.
-
Select Add App, and then select Add custom SAML app from the drop-down menu.
-
Name the application and app icon as follows:
-
App Name: “Beyond Identity User Console”
-
App icon: Upload Beyond Identity Logo provided by Beyond Identity field team.
-
Click on the “Continue” button in the lower right corner to go to the next step.
-
-
On the Google “Identity Provider Details” tab, click Continue to go to the next step.
-
On the Service Provider Details tab perform populate following fields.
-
ACS URL: (e.g. https://user.byndid.com/auth-user/saml/<connection-id>/sso) Enter value provided by Beyond Identity Field team.
-
Entity ID: (e.g. https://user.byndid.com/auth-user/saml/<connection-id>/metadata.xml) Enter value provide by Beyond Identity Field team.
-
Start URL: https://user.byndid.com/auth-user/?org_id=<BI_Tenant_Name> (Replace BI_Tenant_Name with value provided by BI Field team)
-
Name ID Format: EMAIL (select from the drop-down menu)
-
Name ID: Basic Information > Primary email (select from the drop-down menu)
-
Click Continue to go to the next step.
-
-
On the “Attribute mapping” tab, select Finish. There is no need to map any attributes
-
On the Beyond Identity User Console App’s page under “user access”, click on the down arrow to configure “service status”.
-
Under Organization Units, select Off for everyone.
-
Under “Groups”, search for the “BI_Users” group and set “Service Status” to ON.
-
Click Save.
-
Step 7. Set up the Beyond Identity Service for User Authentication
-
Once logged into the Beyond Identity Admin Console, click the “Integrations” tab, and then click SAML Connections.
-
Click Add SAML Connection and update the fields as following:
-
Name: Beyond Identity IdP
-
SP Single on URL: <https://www.google.com/a/<google-domain-name>/acs> (Replace the Google domain name with the customer’s domain name. For example, zeropw.app
-
-
SP Audience URI: https://google.com
-
Name ID Format: emailAddress
-
Subject User Attribute: UserName
-
Request Binding: http-redirect
-
Signed Response: Signed
-
Click Save Changes.
-
-
Note the following fields from the recently created SAML Connection. This will be required in the next step.
-
IdP Id (Beyond Identity Connection ID)
-
IdP Single Sign-On URL: <https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso>
-
IdP Issuer: <https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml>
-
Download the IdP Signature Certificate.
-
Step 8. Set up Beyond Identity as a 3rd Party IdP in the Google Admin Console
-
In the Google Admin Console, on the top left menu drop-down, select Security > Authentication > SSO with third party IdP Third-Party SSO Profile.
-
Enable “SSO with third party Identity Provider”.
-
Update the “Sign-In page URL” field with “IdP Single Sign-On URL” from the previous step. Leave the sign-out page as (unless there is another preferred sign-out page).
-
Select ‘REPLACE CERTIFICATE’ and upload the IdP certificate you uploaded from the Beyond Identity Admin console in the previous step.
-
-
In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP -> Manage SSO Profile Assignments.
-
For the top Organization Unit select SSO Profile assignment as follows.
-
SSO Profile Assignment: None (User sign-in with Google)
-
Click Save.
-
-
In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP > Manage SSO Profile Assignments.
-
Under Groups select the BI_Users group.
-
For “Manage SSO Profile Assignments”, select Organization's third-party SSO profile.
-
Click Save.
-
- In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third-party IdP -> Domain-specific Service URLs.
- Click “Require users to enter their username on Google’s sign-in page first”.
- Click “Save”.
- In the Google Admin Console, on the top left menu drop-down, select Security > Authentication -> SSO with third party IdP -> Third-party SSO Profiles
- Click on Beyond Identity
- Copy SP Details Entity ID and SP Details ACS URL.
- Go to Beyond Identity Admin Console configuration Step 7.2 and modify SP SSO URL and SP Audience URI and Save the changes. SP Entity ID from Google goes in the SP Audience URI field in BI and SP ACS URL from Google goes in the SP SSO URL field in BI
Step 9. Configure SCIM for User & Group Provisioning
Google Workspace does not support SCIM for non-gallery applications currently. We are working with Google to enable this feature for Beyond Identity.
Setting up Test Users
User Enrollment
-
To enroll a user in the Beyond Identity experience, assign the user to the BI_Users group.
-
Click on Directory > Groups.
-
Select the BI_Users group.
-
Click Add Members.
-
Find users and assign them to this group.
-
Click Add to Group.
-
-
Create users in the Beyond Identity directory with following parameters:
-
External ID (e.g., same as UPN)
-
Email
-
Username
-
Display Name
-
-
Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
-
Each enrolled user will be asked to perform the steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
-
When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
-
Once the Authenticator is installed on the device, proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
-
-
Step 2: Register their Credential in the Beyond Identity IdP.
-
By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
-
See the following example image:
-
-
10.2 User Authentication (Signing in)
-
Each enrolled user can visit any application supported by your SSO to sign into their corporate applications.
-
The SSO-supported application will ask the user to enter their username.
-
Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
-
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
10.3 User Deprovisioning
-
To deprovision a user from the Beyond Identity experience, remove the user from the “BI_Users” Group.
-
Click Directory > Groups.
-
Select the BI_Users group.
-
Click Manage Members.
-
Click the “-” sign next to the user's name in the “Members” column.
-
Click Remove Members.
-
-
To remove or suspend users from Beyond Identity cloud, log into the admin console and go to the “Users” tab.
-
Select the user by clicking on their name.
-
Once on the user-specific page, click Deactivate to suspend the user or Delete User to permanently delete the user from Beyond Identity cloud.
-
Comments
0 comments
Please sign in to leave a comment.