Setting Up a SAML2 Connector with Google Workspace

This guide will help you configure Google Workspace to use Hydda ID for Single Sign-On (SSO) using SAML2.

Prerequisites

Log in to the Customer's Google Workspace Admin Console:
- Open your web browser and go to admin.google.com.
- Log in using the customer's Google Workspace admin credentials.
Navigate to the Apps Section:
- From the Admin console Home page, click on the Menu icon (three horizontal lines) in the top-left corner to open the navigation menu.
- Select Apps from the menu.
Go to Web and Mobile Apps:
- In the Apps section, click on Web and mobile apps. If you don't see this option directly, it might be nested under Additional Google services or Other Google Services depending on your setup.

Initiate Adding a Custom App:
- Click on the Add App button located at the top of the page.
- From the dropdown menu, select Add custom SAML app.
Provide App Details:
- Enter a name for your new app (e.g., "Hydda ID SSO").
- Optionally, you can upload an app icon for easier identification.
- Click Continue to proceed to the SAML settings configuration.

Enter ACS URL:
- This is the Assertion Consumer Service URL where Google Workspace will send the SAML responses.
- Enter: https://587924-hydda-idp-development.auth.eu-north-1.amazoncognito.com/saml2/idpresponse.
Entity ID:
- Enter the unique identifier for Hydda ID.
- Enter: urn:amazon:cognito:sp:eu-north-1_afO8g66RA.
NOT YET SUPPORTED! ~~Start URL (Optional):~~
- ~~This is the URL where users are redirected when they initiate login from the Google Workspace dashboard.~~
- ~~Example: https://example.com/login.~~
Signed Response (Optional):
- Check this box if Hydda ID requires signed responses.
Name ID Format:
- Select EMAIL from the dropdown.
Name ID:
- Select Basic Information > Primary Email.
Click Continue after filling out the details.

SSO URL:
- Enter the Single Sign-On URL from Hydda ID's metadata. This is where Google Workspace will redirect authentication requests.
- Example: https://idp.hydda.com/sso.
Entity ID:
- Enter the Entity ID provided by Hydda ID.
- Example: https://idp.hydda.com/entity.
Click Continue to proceed.

Add the necessary attribute mappings based on Hydda ID's requirements. Common attributes include:
- FirstName: Select Basic Information > First Name and map it to first_name.
- LastName: Select Basic Information > Last Name and map it to last_name.
- Email: Select Basic Information > Primary Email and map it to email.
Click Finish to complete the SAML app setup.

Return to Web and Mobile Apps:
- In the Admin console, go back to Apps > Web and mobile apps.
Enable the App:
- Find your newly created SAML app in the list.
- Click on the three dots menu (more actions) next to the app name.
- Select On for everyone to enable the app for all users. Alternatively, you can customize the app to be enabled for specific organizational units.

Download the Metadata File:
- In the SAML app settings, there should be an option to download the metadata file.
- Download this file and provide it to Hydda for further configuration.

Ensure that the ACS URL and Entity ID are correctly configured in both Google Workspace and Hydda ID.
Review the attribute mappings to ensure they match the required fields in Hydda ID.
If you are testing auto-provisioning, ensure that this feature is enabled in both Hydda ID and the customer's Google Workspace settings.

Add Attribute Mappings:
- First name: Map to first_name.
- Last name: Map to last_name.
- Email: Map to email.
Provide Metadata File:
- Download the metadata file from Google Workspace and provide it to Hydda.