MartinP.86402 (Customer) asked a question.
I found that Oktas existing Google Workspace template might be slightly out of date as some minor issues with it prevent me and other admins from using it to configure SAML SSO for GWS.
The incompatibility seems to be a question of allowing admins to change the SP entity ID and ACS URL or to change those to Google's expected formatting in the Google Workspace app template provided in the Okta integration marketplace.
I did some testing and found the only incompatibility is that the Okta template insists on using https://google.com/a/acme.com and https://google.com/a/acme.com/acs as the SP Entity ID and ACS URL format but Google is expecting https://accounts.google.com/samlrp/metadata?rpid=[ID] for Entity ID and https://accounts.google.com/samlrp/acs?rpid=[ID] for ACS URL.
They provide the exact IDs you need when you create the SAML SSO Profile, see attached image:
I found that when I create a custom SAML app using the Entity ID and ACS URL provided by Google during the profile config the authentication and redirections work as expected. When I compare the SAML assertions the only thing that changes (save for the things that MUST change) is the entity ID and the ACS URL I am directed to during the login flow.
So now I have SAML and SCIM for Google Workspace in two different apps on Okta, however, this is not ideal.
My suggestions are:
Change the format of the SP Entity ID and ACS URL in the app template to match what Google is expecting. Instead of asking for the domain "acme.com" the admin would need to be asked for the SAML SSO Profile ID found during the configuration on GWS, indicated by the first two red boxes in the image above at the ends of the URLs.
OR
You can simply allow admins to specify the Entity ID and ACS URL within the Google Workspace app template on Okta.
Please fix this Okta, I don't want to set up SCIM for the custom app as I've built a lot out of the existing Google Workspace app template and would need to redo a lot of work. Not to mention SCIM is not as simple to setup or keep authenticated specifically for GWS in the custom app.
Hi, @MartinP.86402 (Customer)
Thank you for posting on our Community page!
We appreciate your input. Please raise this issue as a feature request on our ideas.okta.com webpage so our Engineers can check it out and take it into account.
Hope this helps!
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
Community members help others by clicking Upvote or Select as Best on responses. Try it today.
_____________________________________________________________________________