Google Workspace
To configure Google Workspace as an SSO identity provider, click
the button Configure New SSO in the Single-Sign On section of the
organization admin settings.
Then proceed with the steps below.
Step 1. Settings
In the first step, select Google Workspace as the identity provider. Then select the
e-mail domains for which you want to setup SSO with Google Workspace. Finally, choose how
new users should be handled. Then select Next.
Step 2. Configure Cluvio
Open the Google Admin Console and navigate to Apps » Web and mobile apps.
Select Add app » Add custom SAML app.
In the dialog that opens, enter Cluvio as the App name. Optionally add a
description and upload a Cluvio logo. Then click Continue.
Under Option 1: Download IdP Metadata click DOWNLOAD METADATA to save the
SAML metadata on your PC or laptop.
Return to the Cluvio SSO setup wizard and upload the metadata file to Cluvio.
Step 3. Configure Google
Return to the Google SSO setup and click Continue. Copy the ACS URL and
Entity ID from Cluvio into the equivalently named fields in the Google setup
wizard. Select EMAIL as the Name ID format. Then click CONTINUE.
Add mappings for the attributes firstname and lastname as shown below. Then
click FINISH.
Return to the Cluvio SSO setup wizard and click Next to proceed with step 4.
Step 4. User Access
You must now enable user access on your new custom SAML app in Google Workspace. Follow the instructions shown to open the User access section of your custom SAML app in the Google Admin Console.
When you have configured access as desired, click Save.
Return to the Cluvio SSO setup wizard and click Next to proceed with step 5.
Step 5. Verification
Your Cluvio SSO configuration is now complete, but in order for the configuration
to be activated and SSO logins to be enabled, it must be verified. Click Verify Configuration. Cluvio will open a popup window that performs SSO authentication
with your identity provider and your Cluvio email address. If you are currently
authenticated with the identity provider the popup closes automatically and you
see a success message.
At this point, all future Cluvio logins for users with e-mail addresses in the
configured domains will redirect to Google for authentication and Google will
redirect back to Cluvio when authentication is successful. Click Close to
close the SSO setup wizard.
Reconfiguration
To reconfigure Google Workspace SSO, select Reconfigure in the SSO config
drop-down menu in the organization admin
section. The following dialog
is shown.
In the Cluvio tab of the reconfiguration dialog you can inspect and update the Google Workspace
metadata that Cluvio is using. Select Show Metadata to reveal the Google SAML
metadata used by Cluvio.
Select Upload Metadata to upload new SAML metadata downloaded from Google Workspace. If Cluvio detects any
changes, it will be indicated in the dialog. There are two
use-cases for uploading new metadata: Updating certificates or linking Cluvio with
a completely new Google Workspace custom SAML app. While the
former needs to be done when the existing certificates expire, the latter
is only necessary if you intentionally want to delete and recreate your
Google Workspace custom SAML app for Cluvio.
In the Google Workspace tab of the reconfiguration dialog you can see the Cluvio metadata
that must be used in the configuration of your Google Workspace custom SAML app.
Updating Certificates
To replace an expiring certificate, open the custom SAML app configuration for Cluvio in the Google Workspace Admin Console. The service provider details section shows the currently used certificate.
If you need to replace the certificate, click on Manage certificates and add a
new certificate. Then click DOWNLOAD METADATA to download the new SAML
metadata for Cluvio that includes the new certificate.
Reconfigure the Cluvio SSO configuration and upload the new metadata file. Check
that the certificate expiration is updated, then click Save & Verify to save
the changes. Verification of the updated metadata opens a popup window that
authenticates with Google Workspace using your Cluvio email address. If
verification fails, the previous metadata is automatically restored.
Once Cluvio is updated with the latest metadata that includes the new certificate, you can switch your Google Workspace custom SAML app to use the new certificate and delete the old certificate. This completes certificate rotation.
Cluvio periodically checks your Google Workspace SSO certificates for upcoming expiration. Starting 30 days before expiration Cluvio will send email notifications once a day to your Cluvio organization admins as a reminder to renew the certificates.