Google Workspace Integration
Google Workspace (formerly G Suite) is Google's cloud-based productivity and collaboration platform. This guide shows how to integrate Google Workspace with the Tailor Platform Auth service for enterprise SSO using SAML.
Prerequisites
- Google Workspace admin account
- A Tailor Platform workspace with Auth service enabled
- Basic understanding of SAML protocols
Setting up Google Workspace for SAML
Step 1: Access Admin Console
- Sign in to the Google Admin Console
- Navigate to Apps > Web and mobile apps
- Click Add app > Add custom SAML app
Step 2: Configure SAML Application
App details:
- App name: Your application name
- Description: Brief description
- App icon: Upload your application logo (optional)
Google Identity Provider details:
- Download the metadata XML file from Google (you'll need this for the Auth service configuration)
Service Provider details:
- ACS URL:
https://{your-app-domain}/oauth2/callback
- Entity ID:
https://api.tailor.tech/saml/{workspace_id}/{auth_namespace}/metadata.xml
- Name ID format: EMAIL
- Name ID: Basic Information > Primary email
Step 3: Configure Attribute Mapping
Map Google Workspace attributes to your application:
Google Directory attributes | App attributes |
---|---|
Primary email | |
First name | firstName |
Last name | lastName |
Configuring Auth Service
Configure your Tailor Platform Auth service for Google Workspace using the downloaded metadata:
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth" "main_auth" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"main-auth"</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)"># SAML Configuration</span></span>
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_idp_config" "google_saml" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_auth.main_auth.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"google-saml"</span></span>
<span><span style="color: var(--shiki-color-text)"> </span></span>
<span><span style="color: var(--shiki-color-text)"> saml_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> raw_metadata </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.google_saml_metadata</span></span>
<span><span style="color: var(--shiki-color-text)"> sp_cert_base64 </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.saml_cert.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> sp_key_base64 </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.saml_key.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
Domain Verification
For Google Workspace SAML integration, you may need to verify domain ownership:
- In Google Admin Console, go to Security > Set up single sign-on (SSO)
- Add your application domain to the verified domains list
- Follow Google's domain verification process
Troubleshooting
Common Issues
Domain Not Verified
- Complete Google's domain verification process
- Ensure DNS records are properly configured
SAML Assertion Errors
- Verify Entity ID matches exactly
- Ensure user has access to the application
Next Steps
- Log in to your app - Guide for user creation and login
- Configure user roles and permissions
- Set up machine users for API access
- Learn about Auth as a subgraph