Configure federated authentication with Google Workspace

Google Workspace is a set of online productivity and collaboration tools that includes the corporate versions of Gmail, Calendar, Meet, and more. You can use Google Workspace as an identity provider (IdP) for DoubleCloud, so that users can use their Google Workspace credentials to log in to DoubleCloud.

Before you start

Make sure you have the following:

  1. An active Google Workspace subscription.

  2. Access to a Google Workspace account with super administrator privileges .

Step 1. Create a SAML application in the Google Admin console

  1. Go to the Google Admin console and sign in.

  2. In the left menu, click AppsWeb and mobile apps.

  3. Click Add AppAdd custom SAML app.

  4. In App name, enter an app name, such as DoubleCloud, and (optionally) a description.

  5. Click Continue.

  6. On the Google IdP information page that opened, take note of the SSO URL and Entity ID values under Option 2.... You will need them in later steps.

  7. Download the SAML certificate.

  8. Keep this page open.

Step 2. Configure a federation in DoubleCloud

  1. Go to the DoubleCloud console.

  2. In the top bar, click your organization name → Manage organization.

  3. Select Members from the panel on the left and switch to the Federations tab.

  4. Click Create and enter the following details in the form:

    • Name: Your federation name, such as Google Workspace.

    • Cookie lifetime: Desired cookie lifetime.

    • IdP Issuer: Enter the value from the Entity ID field on the Google Workspace page. It has the https://accounts.google.com/o/saml2?idpid=<app-id> format.

    • Login URL: Enter the value from the SSO URL field on the Google Workspace page. It has the https://accounts.google.com/o/saml2/idp?idpid=<app-id> format. `

    • Under Advanced, enable Automatically create users if you want to add users to your organization automatically when they sign in. If you keep it disabled, you’ll need to manually add your federated users.

  5. Click Create federation. The Federation overview page will open.

  6. Click Add Certificates and upload the SAML certificate you downloaded from the Google IdP information page.

    Keep the Federation overview page open.

Step 3. Finish configuration in Google Workspace

  1. On the Federation overview page in the DoubleCloud console, copy the value from Link to federation login page.

  2. Switch back to the Google identity provider details page in the Google Admin console and click Continue.

  3. On the Service provider details page, enter the federation login page URL you just copied in the ACS URL and Entity ID fields. This URL has the https://auth.double.cloud/federations/<id> format.

  4. Enable Signed response.

  5. Click Continue.

Step 4. Map user attributes

  1. On the Attribute mapping page, click Add mapping under Attributes and add the following mappings one by one:

    Google Directory attribute App attribute
    Primary email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    First name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

  2. Click Finish.

Step 5. (Optional) Add users

If you didn’t enable creating users automatically, you need to add them manually in the DoubleCloud console.

To add a federation user manually:

  1. Go to the DoubleCloud console.

  2. In the top bar, click your organization name → Manage organization.

  3. Select Members from the panel on the left.

  4. Under Invite to the organization, select SSO.

  5. In the dropdown, select your federation.

  6. Enter the emails of the users you want to invite and click Invite.

Step 6. Test the federation

  1. Log in to the DoubleCloud console using the federation URL.

  2. Authenticate on the Google Workspace login page you’re redirected to.

See also

Previous
Authorize in a federation
Next
Configure authentication with Azure
In this article: