Google Workspace

Before We Dive In:

  1. You need a Google Business or Enterprise Workspace account with a verified domain. For now, no personal accounts, please!
  2. You should be a boss (Admin) of both your Google Workspace and your Privakey Passwordless SSO.
  3. Make sure the domains you use for Google and Privakey (eg. “yourorganization.extension” as defined in each) are the same.

Lets Get Started!

1. Get Prepared! Get Google and Privakey ready to work together.

A) Turn on Privakey to work with Google Workspace:

  1. Hop into Privakey: Go to Privakey SSO and log in.
  2. Click on "Admin" at the top.
  3. Choose "+Configure New Service Provider" (found at the bottom the Configured Service Providers section), and on the subsequent page just pick "Google Workspace" and hit “Configure”.
  4. Type in your domain (like acme.co, but use your own!).
  5. Click "Submit".

B) Get your Google Admin set up as a separate email/login if need be!

So – if you are the admin and want to continue using your email and the rest of Google Workspace WITH Privakey we recommend moving admin capabilities to another login (for example, create a company-admin login on Google), and move the admin capabilities for Google off your current admin account to the newly created company admin account. Yes, eventually, you will be the only one left using a password with Google – until they change that policy – but at least you can finally eliminate almost all those weak password doors hackers so readily exploit!

That was the BAD NEWS.

The GOOD NEWS? This is actually a best-practice to keep super user/admin capabilities separate from personal email, and you can make a strong, dedicated password just for the admin function going forward!! Feel better already, yes? 😀 - “YES!”

C) For managing Google Workspace end-user migration onto Privakey - Getting Google Workspace Ready by Setting Up Google Organizational Units (OU):

Think of OUs like folders in Google where you can organize users who have the same capabilities in your Google Workspace. We're going to be making a special folder(s) for Privakey users so we can support flexible individual adoption of Privakey by your users when they are ready!

Your Google Workspace will have one or more OUs currently defined. One top-level OU is defined when you created your Google Workspace account (It defaults to your domain you set up with Google Workspace – example: acme.co)

Many organizations will have not set up sub-OUs already – and if you are one of them, don’t worry. They typically only come into play when you are giving different Google application access to different group of Google users. If you don’t already have OUs set up in Google then this step is super easy! Ours will be your first!

i) For those of you which don’t already have OUs set up, login to your Google Admin account:

  1. In Google Admin (left-hand side bar), go to Directory > Organizational Units.
  2. Click "Create Organization Unit" in the top of the center window.
  3. Name the new organizational unit "Privakey Enabled" and make sure the parent organizational unit is your domain with Google Workspace. Click Create.

Org Unit

Org Unit Example

Later (in step 5), when someone has installed the Privakey software you will then turn them ON in Google Workspace by simply changing their current OU to the “Privakey Enabled” OU! You can now skip ahead to Step 2 Linking.

ii) BUT, if you do have OUs already set up in Google (perhaps you/someone set up groups of users that get access to different Google- and related applications) then it is JUST a little more effort.

In Google Admin, go to Directory > Organizational Units.

  1. For each OU you have established, select that OU and create a new OU as a sub-group to that original OU, naming the new sub-OU “Privakey Enabled”. You should do this for every original OU where you have users for which you want to enable Privakey.

After creating the OUs your Organizational Unit Structure will resemble the diagram below.

AcmeCo
|__ Management //Example Existing OU
| |___Privakey Enabled //NEW – you add this
|
|__Sales //Example Existing OU
|__Privakey Enabled //NEW – you add this
|
|__Etc. //Other Existing OUs
|__Privakey Enabled

OU Example for Acme Co with existing OUs

Again later (in step 3), when someone has loaded the Privakey software you will then turn them ON in the system by simply changing their personal OU membership from the original sub-OU in which they belonged to the newly added sub-OU under their original OU group (eg. their specific “Privakey Enabled” sub-OU!)

STEP 2. Linking: Making Google and Privakey Best Friends!

A) “Turn on” SSO for Privakey Enables OUs, leaving other OUs/users using passwords still:

In Google Admin, go to Security > Authentication > SSO with third party IDP.

Down on the page in the center page content area is “Manage SSO profile assignments” – click on Get Started or Manage.

Click on each OU and sub-OU listed in the lower left hand navigation. For each OU and sub-OU:

  1. If the OU is named Privakey Enabled then select the box titled Organization's third-party SSO Profile. Select Save.
  2. If the OU is not named Privakey Enabled then select the box titled None (users will sign in with Google passwords as before). Select Save.

Here’s an example of what that page looks like, and the selection for the top-most OU (the original OU (for example, ACME CO), pre-adding Privakey capabilities) which should be set to “None”. For the Privakey Enabled OU you would select “Organizations third-party SSO profile”.

Manage SSO Assignment

Manage SSO Assignment - Example

B) Setting up links between Privakey and Google:

1. Stay in the Google Admin window, and use the left hand navigation to navigate to Security > Authentication > SSO with third party IDP.

Add SSO

Google SSO with third Party IDP Page

On that page find the section titled Third-party SSO profile for your organization.

It's tricky, there is also a section called Third-party SSO profiles - ignore it. You want the one titled Third-party SSO profile for your organization. It is the the top most section of this page. Refer to the image above for a guide.

2. Click on the Box "Third-party SSO profile for your organization"

The page should look like the following image. If it doesn't, go back and make sure you selected Third-party SSO profile for your organization

Third-Part Config

Google SSO Config Page

3. Go back to Privakey Admin Home Page, Select “Configure New Service Provider” and then on the card header **Show Privakey SAML configuration Data” to display your Privakey Passwordless SAML data. The following screen will show:

Privakey Metadata

Privakey SAML configuration Data Admin Portal Window

4. Now, copy-paste the info from Privakey Admin Portal Window into Google:
a. Check the box “Set up SSO with third party identity provider”
b. For the Google Sign-in page URL: Use the Privakey SSO Login URL.
c. For the Google Sign-out page URL: Use the Privakey SSO Logout URL.
d. For the Change password URL in Google: Type in https://sso.privakey.com, and then, just more thing!
e. The Verification Certificate: Download that file from Privakey, and upload as indicated into Google.

Here’s sample of what you might be looking at in the Google Workspace Admin Window:

Configure Google

5. Click Save

C) LETS CONFIGURE THE DEFAULT LOGIN BEHAVIOR FOR PEOPLE STILL USING PASSWORDS – (in Google’s terms these are DOMAIN-SPECIFIC SERVICE URLS)

ONE LAST THING – WHILE YOU ARE ON THE MAIN PAGE FOR “Single sign-on (SSO) with third-party identity providers (IPDs).

The last Card in the Google Admin Single sign-on (SSO) with third-party identity providers (IDPs) page is titled "Domain-specific Service URLs". We need to set up behavior for what happens when a Google Workspace user goes to certain google urls such as mail.google.com/a/yourdomain.com.

Click on the card "Domain-specific Service URLs".

Domain Specific URL

Select the second option - Require users to enter their username on Google's sign-in page first, and remember to click “Save”. This configuration will allow users who have not enabled Privakey Passwordless SSO to continue to use these types of URLs to access Google.

STEP 3. Turning On Privakey for Your Specific Team Members:

If you already have users using Privakey Passwordless SSO for other services you can skip to Step B. Enable Privakey Authentication in Google below.

The Steps for onboarding new Privakey SSO Users is:

A. Invite them from the Privakey Passwordless SSO Admin Console

Click on Admin in the top Navigation. The Admin dashboard for your company will display.

admin

Company Admin

3. Manage Users

Click on Manage Users in the User card. A list of your current users will show.

4. Add User

In the upper right of the Manage Users card you will see a link +Add User.

Click + Add User. The New User form displays. Enter the user's First Name, Last Name and company email address.

They will receive an email with instructions on how to continue.

5. Instruct the invited colleague to set up Privakey

Advise the user to check their email. The email will come from noreply@privakey.com. The end-user will use this email to complete sign-up and create their first Privakey authenticator.

End-User instructions can be found here: Using the SSO - Getting Started

B. Enable Privakey Authentication in Google

Once your end-user has completed enrollment and has an active Privakey authenticator you can enable Google SSO Authentication for them in the Google Admin console by adding them to the appropriate Privakey Enabled OU.

1. Return the Google Admin Console

Return to the Google Admin console.

2. Navigate to the User profile

Using the left-hand navigation, navigate to Directory > Users Link .

Find or search for the user for whom you want to enable Privakey Authentication.

3. Change their OU to Privakey Enabled

On their user page, click on Change Organizational Unit in the left hand navigation.

Assign them to the appropriate Privakey Enabled OU.

Congratulations

That user now has the Privakey App, can authenticate to Google Workspace using the Privakey App and will be able to access other services when they are configured.

Have them go to Google, enter their user-id and complete a login.

Repeat this step for every user who has enabled Privakey.

THAT'S IT!

🎉 YAY! That person can now use Privakey to log into Google Workspace!


IMPORTANT - Tips and Reminders:

Google Admins

If you're a Super Admin in Google, you can't use Privakey. But you can make a separate account for admin stuff and use Privakey for your regular account.

Turning Off Privakey(for Google Workspace)

  • If you ever want to turn off Privakey for an individual, just move them out of the "Privakey Enabled" OU in Google.
  • To disable Privakey for an entire OU just navigate to that OUs profile in Google (per section 2B above) and click “NONE” for any specific OU.
  • To disable Privakey Passwordless SSO for your entire company for Google Workspace, navigate to Single sign-on (SSO) with third-party identity providers (IDPs). Click the edit icon next to SSO profile for your organization and toggle the profile OFF. The entire company will revert to Google's username / password authentication for Google Workspace.

Document Version: 1.2 | January 17, 2024.