Google Workspace Integration
Google Workspace (formerly G Suite) is Google's cloud-based productivity and collaboration platform. This guide shows how to integrate Google Workspace with the Tailor Platform Auth service for enterprise SSO using SAML.
Prerequisites
- Google Workspace admin account
- A Tailor Platform workspace with Auth service enabled
- Basic understanding of SAML protocols
Setting up Google Workspace for SAML
Step 1: Access Admin Console
- Sign in to the Google Admin Console
- Navigate to Apps > Web and mobile apps
- Click Add app > Add custom SAML app
Step 2: Configure SAML Application
App details:
- App name: Your application name
- Description: Brief description
- App icon: Upload your application logo (optional)
Google Identity Provider details:
- Download the metadata XML file from Google (you'll need this for the Auth service configuration)
Service Provider details:
- ACS URL:
https://{your-app-domain}/oauth2/callback - Entity ID:
https://api.tailor.tech/saml/{workspace_id}/{auth_namespace}/metadata.xml - Name ID format: EMAIL
- Name ID: Basic Information > Primary email
Step 3: Configure Attribute Mapping
Map Google Workspace attributes to your application:
| Google Directory attributes | App attributes |
|---|---|
| Primary email | |
| First name | firstName |
| Last name | lastName |
Configuring Auth Service
To configure the Auth service, you’ll need to download the Google Workspace IdP metadata XML and provide it as a string value.
1. Set the Metadata Variable
You can define the variable in one of two ways, depending on your setup:
Option A. Terraform variable file (terraform.tfvars)
Store the XML directly in your variables file
<span><span style="color: var(--shiki-color-text)">google_saml_metadata </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-keyword)"><<EOF</span></span>
<span><span style="color: var(--shiki-token-string)"><?xml version="1.0" encoding="UTF-8"?></span></span>
<span><span style="color: var(--shiki-token-string)"><EntityDescriptor entityID="https://accounts.google.com/o/saml2?idpid=C123abc" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"></span></span>
<span><span style="color: var(--shiki-token-string)"> ...</span></span>
<span><span style="color: var(--shiki-token-string)"></EntityDescriptor></span></span>
<span><span style="color: var(--shiki-token-keyword)">EOF</span></span>
<span></span>Option B. Environment variable
<span><span style="color: var(--shiki-token-keyword)">export</span><span style="color: var(--shiki-color-text)"> TF_VAR_google_saml_metadata</span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-token-string-expression)">"<?xml version='1.0' ... </EntityDescriptor>"</span></span>
<span></span>2. Reference the variables in the Auth configuration
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth" "main_auth" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"main-auth"</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)"># SAML Configuration</span></span>
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_idp_config" "google_saml" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_auth.main_auth.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"google-saml"</span></span>
<span><span style="color: var(--shiki-color-text)"> </span></span>
<span><span style="color: var(--shiki-color-text)"> saml_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> raw_metadata </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.google_saml_metadata</span></span>
<span><span style="color: var(--shiki-color-text)"> sp_cert_base64 </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.saml_cert.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> sp_key_base64 </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.saml_key.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>Domain Verification
For Google Workspace SAML integration, you may need to verify domain ownership:
- In Google Admin Console, go to Security > Set up single sign-on (SSO)
- Add your application domain to the verified domains list
- Follow Google's domain verification process
Troubleshooting
Common Issues
Domain Not Verified
- Complete Google's domain verification process
- Ensure DNS records are properly configured
SAML Assertion Errors
- Verify Entity ID matches exactly
- Ensure user has access to the application
Next Steps
- Log in to your app - Guide for user creation and login
- Configure user roles and permissions
- Set up machine users for API access
- Learn about Auth as a subgraph