---
myst:
html_meta:
"description lang=en": "Google Workspace Gsuite SAML setup guide for Workspaces authentication."
"keywords": "Kasm, Google, GSuite, SAML, Google-Workspace"
"property=og:locale": "en_US"
---
```{title} Google Workspace SAML Setup
```
## Google Workspace SAML Setup
### Create a new SAML configuration in Kasm
1. Log into the Kasm UI as an administrator.
2. Select **Authentication** -> **SAML** -> **AddConfiguration**.
3. The **SAML 2.0 Configuration** page will auto-generate the **Entity ID**, **Single Sign On Service**, **Single Logout Server**, and **Relay State** values.
4. Check **Enable**, enter the **Hostname** of the Kasm Workspaces URL (e.g `kasm.example.com`) and enter a **Display Name**. e.g (Login with Google).
5. Update the following Settings:
```{eval-rst}
+-----------------------------+--------------------------------------------+
| **Setting** | **Value** |
+-----------------------------+--------------------------------------------+
| Group Member Attribute | groups |
+-----------------------------+--------------------------------------------+
| NameID Attribute | emailAddress |
+-----------------------------+--------------------------------------------+
| Want Attribute Statement | Unchecked |
+-----------------------------+--------------------------------------------+
| Want Assertions Signed | Unchecked |
+-----------------------------+--------------------------------------------+
| Want Messages Signed | Checked |
+-----------------------------+--------------------------------------------+
| Want Name ID | Checked |
+-----------------------------+--------------------------------------------+
| Signature Algorithm | rsa-sha256 |
+-----------------------------+--------------------------------------------+
| Digest Algorithm | sha256 |
+-----------------------------+--------------------------------------------+
```
6. Leave this page open and continue to the next steps.
### Add a new application in Google Workspace
1. Open the **Google Admin** Console, Expand **Apps**, then Select **Web and mobile apps**.
```{figure} /images/saml/gsuite/portal.png
:align: center
:width: 30%
**Portal Navigation**
```
2. Select **Add app**, then click **Add custom SAML app**.
```{figure} /images/saml/gsuite/saml_apps.png
:align: center
:width: 90%
**SAML Apps**
```
3. Enter an App name (e.g Kasm Workspaces) then select **Continue**.
```{figure} /images/saml/gsuite/app_name.png
:align: center
:width: 70%
**Add Applications**
```
4. Copy the Google IdP entries to the **Identity Provider** section of the Kasm SAML Configurations started in the previous section. Then click **Continue**.
```{eval-rst}
+------------------------+--------------------------------------------+
| **Kasm Property Name** | **Google Workspace Property Name** |
+------------------------+--------------------------------------------+
| Entity ID | Entity ID |
+------------------------+--------------------------------------------+
| Single Sign On Service | SSO URL |
+------------------------+--------------------------------------------+
| X509 Certificate | Certificate |
+------------------------+--------------------------------------------+
```
```{figure} /images/saml/gsuite/g_idp.png
:align: center
:width: 70%
**Google IdP Information**
```
5. Copy the Kasm SAML configurations from the **Service Provider** section into the **Service Provider Details** section.
```{eval-rst}
+------------------------------------------------+--------------------------------------------+
| **Kasm Property Name** | **Google Workspace Property Name** |
+------------------------------------------------+--------------------------------------------+
| Entity ID | Entity ID |
+------------------------------------------------+--------------------------------------------+
| Single Sign On Service | ACS URL |
+------------------------------------------------+--------------------------------------------+
| https:///#/staticlogin e.g | Start URL |
| :code:`https://kasm.example.com/#/staticlogin` | |
+------------------------------------------------+--------------------------------------------+
```
```{figure} /images/saml/gsuite/service_provider_details.png
:align: center
:width: 70%
**Service Provider Details**
```
6. Ensure the following settings are configured in the Google Workspace **Service Provider Details** . Select **Continue**.
```{eval-rst}
+------------------------+--------------------------------------------+
| **Setting** | **Value** |
+------------------------+--------------------------------------------+
| Signed Response | Checked |
+------------------------+--------------------------------------------+
| Name ID | Basic Information / Primary Email |
+------------------------+--------------------------------------------+
| Name ID Format | EMAIL |
+------------------------+--------------------------------------------+
```
7. If desired, select Google groups to pass to Kasm in the SAML assertion. Ensure the **App attribute**
is set to `groups` to match the **Group Membership Attribute** previously configured in the Kasm SAML settings.
In this example, a previously created security group `KasmAdmins` is selected. When complete, select **Finish**.
```{figure} /images/saml/gsuite/group_membership.png
:align: center
:width: 70%
**Group Mempership mapping**
```
10. Review the final Kasm SAML Configuration form. Click **Sumbit** to save.
```{figure} /images/saml/gsuite/final_kasm_config.png
:align: center
:width: 70%
```
### Enabling Access for Users
Once the Kasm SAML app is configured , access must be granted to Google users.
1. From the **Google Admin** Admin Console Expand **Apps**, then Select **Web and mobile Apps**, then select **Kasm Workspaces**
2. Click **User Access**
```{figure} /images/saml/gsuite/edit_service.png
:align: center
:width: 70%
**Edit Service**
```
3. Select **ON for everyone** or for the desired Organizational Units or Groups, then click **Save**
```{figure} /images/saml/gsuite/access.png
:align: center
:width: 70%
**Giving App Access**
```
## Group Mappings
In the previous steps, the Google Workspace SAML configuration was configured to pass the `KasmAdmin`
security group in the SAML assertion. The following example will demonstrate how to associate the Google
group with a Kasm Group.
1. Log into the Kasm UI as an administrator.
2. Select **Groups** then select **View** next to the **Administrators Group**.
3. In the **SSO Group Mappings** section, select **Add SSO Mapping**.
4. Select **SAML-Login with Google** in the *SSO Provider** section.
5. Enter `KasmAdmins` in the **Group Attribute** section.
```{figure} /images/saml/gsuite/saml_group.png
:align: center
:width: 70%
```
### Testing Access
1. Log out of the Kasm UI if already logged in.
2. Navigate to the Kasm UI login page.
```{figure} /images/saml/gsuite/kasm_login.png
:align: center
:width: 70%
**Kasm Login**
```
3. Click **Login with Google** to initiate the SAML SSO process.
```{figure} /images/saml/gsuite/google_login.png
:align: center
:width: 70%
**Google Login**
```
4. After logging in, you should be redirected to the Kasm UI Dashboard. If the user was a member of
the `KasmAdmins` Google group, they should now be a member of the `Administrators` group within Kasm.
5. From another browser, login to Google. Click the Google Apps icon in the top right corner. Scroll down and click **Kasm**. You should be logged into the Kasm UI Dashboard.
```{figure} /images/saml/gsuite/google_app.png
:align: center
:width: 50%
```