AZ Asia-Pacific - Zscaler Help Centre
All Categories Zscaler Internet Access IdP Integration: Google Workspace

IdP Integration: Google Workspace

Configuration Guide for Google Apps

This guide provides information on how to set up Google Apps as an IdP for ZIA.

 

Prerequisites

Ensure that you have the following:

·        Google Apps account with admin privileges

·        A ZIA account with an administrator role that allows you to add an IdP Configuration

 

Configuring Google Apps as the IdP for the Zscaler Service

To configure Google Apps as the IdP for ZPA user and admin SSO:

1.      Log in to the Gsuite account with administrator privileges to add SAML apps, click on the Admin app to go to the Admin Console.

 image.png


2.      In the Admin console page, click and expand "Apps" on the left-hand side of the page.

image.png

 

3.      Under "Apps", Click on "Web and mobile apps"

image.png

  1. On the "Web and mobile apps" page, click on "Add App" and select "Add custom SAML app"

image.png

  1. On the "Add custom SAML app" page, provide the name of the App at "App name". If require, upload the application icon of your choice in "App icon", do note that the max file size is 4MB and click on "Continue" at the bottom right-hand of the page.

image.png

  1. On the "Google Identity Provider detail" page, scroll down to "Option 2: Copy the SSO URL, entity ID and certificate" and copy down the link in the "SSO URL" by clicking on the copy icon.

image.png

In the same page, download the Certificate by clicking the download icon link under the "Certificate" section. Click "Continue" on the bottom right-hand corner of the page to continue with the configurations.

image.png

  1. On the "Service provider details" page, fill in

  • "ACS URL": https://login.[cloudname].net/sfc_sso

image.png

  • "Entity ID": [cloudname].net

image.png

  • If you scroll down select the "Name ID format" as "EMAIL"

image.png

  • Under the "Name ID", select "Bacsic Information > Primary email" as Zscaler is using Email for SAML integration.

image.png

  1. Once completed, click on the "Continue" button to continue with the configurations.

image.png

  1. On the "Attribute mapping" page, select the "Google directory attribute" mapping to "App attribute" (Mandatory to match in Zscaler admin portal configuration". Configure the mapping as below (please note the configuration mentioned is from left to right":

  • "First name" --> "displayName"

image.png

  • "Department" --> "department"

image.png

  • "Cost center" --> "memberOf" (Not mandatory due to Gsuite workspace does not support Group attribute to pass over to service provider)

image.png

  1. Once completed, click on "FINISH" to complete the configurations.

image.png

  1. On the "Web and mobile apps" in the Google workspace, click into the SAML app that was created.

image.png

  1. Once you are in the Zscaler app created, click on "User access"

image.png

  1. Under the "Service status", select "ON for everyone" and click on "Save" to save the configurations.

image.png

Configuring Zscaler Internet Access Admin Portal for adding GSuite Workspace as IdP.

  1. Login to the Zscaler ZIA's admin portal

image.png

  1. Go to "Administrator", then click on "Authentication Settings"

image.png

  1. Under the "Authentication Settings" page, toggle the "Authentication Type" to "SAML"

image.png

  1. Click on "Open Identity Providers" to configure the Identity provider.

image.png

  1. On the "Identity Providers" tab click on Add IdP

image.png

  1. On the "Add IdP" pop-out enter the following details under the "General Info":

  • Name: Fill in the IdP name of your choice

  • Status: Toggle it to "Enabled"

  • SAML Portal URL: Paste the URL SAML URL copied from the GSuite Workspace's "SSO URL"

  • Login Name Attribute: fill in "NameID"

  • IdP SAML Certificate: Upload the certificate you downloaded from the GSuite Workspace

  • Vendor: Select "Google Apps"

image.png

  1. Scroll down and under "Service Provider (SP) Options" fill in the below:

  • Sign SAML Request: Leave it as Disabled

image.png

  1. Under "Provisioning Options" fill in the below:

  • Enable SAML Auto-Provisioning: Set to enabled

  • User Display Name Attribute: Fill in as "displayName"

  • Group Name Attribute: Fill in as "memberOf" (Since GSuite does not support provisioning of Group Name this field will be a dummy attribute)

  • Department Name Attribute: Fill in as "department"

  • Enable SCIM Provisioning: Leave it as disabled

image.png

  1. Once completed, click on "Save" on the bottom left of the pop-out to complete the configurations.

image.png

  1. Click on "Save" button on the bottom left corner of the tab to save the IdP configurations perform.

  2. Click on "Administration" and Click on "Activate" to activate the policy changes.

  3. image.png