This document explains how to integrate inWebo multi factor authentication service with "Google Workspace (Google Apps) for Business" SAML 2.0 authentication. (https://workspace.google.com/ )
inWebo strong authentication service supports many built-in interfaces such as Radius, SAML 2.0, Web Services API, Google Workspace and many more.
Users can download and manage inWebo tokens by themselves. In order to get the whole system up and running, your company Google Workspace domain administrator only has to:
Create an inWebo account (2 min)
Download, install and activate one of inWebo tokens (2 min)
Configure Google Workspace (Google Apps) connector in the inWebo account (2 min)
Configure inWebo on your Google Workspace account and enable Federated authentication (3 min)
Perform a test authentication (5 min)
Basically, the whole system can be up and running in 15 minutes.
In order to use inWebo with Google Workspace (https://workspace.google.com/), you need to have a valid Google Workspace (Google Apps) domain and have administrator rights for it. If you don’t have one already, you can get one here. In particular.
You also need to have administrator access to an inWebo Enterprise account. You can create your own inWebo account at inWebo Signup page.
Set-up your inWebo account
Connect to your inWebo administration console.
On the “Secure site” tab/page, you have to add in the connectors section. The Google Workspace (Google Apps) connector
Create a connector of type Google Apps
Within the “Google Apps connector” popup:
Define your domain name
Copy the redirection URL
Download the verification certificate
Save by clicking on “Add” button
The newly created connector is now visible in the connectors list (if not, resume the previous step). You should now define one or several “Secure Sites” for this connector, i.e. url shortcuts for your users to Mail, Calendar, Drive and any other services you have enabled in your Google Workspace Domain. The previously configured Google Workspace comes with Mail, Calendar and Drive already configured.
You can only add a Secure Site of type Google Apps if the Google Apps connector has already been created.
The inWebo account set-up is now complete. Keep the inWebo administration console open as you will need to come back to it eventually for testing.
Configure your Google Workspace (Google Apps) domain
Connect to your Google Workspace (Google Apps) domain control panel. You can access the control panel by typing “www.google.com/a/<your_domain.com>”
1. Log into the admin console of your Google Workspace apps account.
2. Choose "Security" within the menu.
3. In the security section, select "Set up single sign-on (SSO)"
Set SSO only for some users
To set SSO only for some users, you can move users into an organizational unit (OU) or group. Then, manage SSO settings for the OU or group. (more information)
4. Tick the "Setup SSO with third party identity provider" box.
5. Copy information in the inWebo connector settings for your service
6. In Google Workspace, fill the following paths with inWebo details and upload the certificate file
7. Save changes.
Your Google Workspace domain configuration (i.e. “federation” with inWebo) is now complete.
Create a user and test inWebo authentication
Go back to your inWebo administration console, this time in tab/page “Service users” and select “Add a new user”
For a given Google Workspace (Google Apps) user “firstname.lastname@example.org”, you should define the login to be “test.user”, without the “@mydomain.com”. This is an important point that will make authentication fail if it is not correctly addressed.
For test purposes, tick the “Send an activation email” box. You might change the activation code distribution process for real users afterwards.
The test user should click on the activation code link in the received email
The target page will give the test user a choice between various inWebo soft-tokens. For the sake of simplicity here, let’s assume the test user chooses to activate inWebo in his/her browser.
This is simply done by defining one’s own second factor (“inWebo password”).
The user is then redirected to his my inWebo page, where he can connect to Google Mail. Note: of course, mail.google.com/a/mydomain.com and www.gmail.com can still be used to access Google Mail, the Identity Provider being now inWebo.
Accessing Google Workspace (Google Apps)
After having federated Google Workspace with inWebo Identity Provider, a user can access the service through www.google.com or www.google.com/a/mydomain.com. The user will be redirected to inWebo for the next authentication.
An admin can still access the admin console from www.google.com with a traditionnal google authentication (login/password with/without google 2 step authentication).