User GuideDocumentationAPI Documentation

SSO Google

Locktera SSO Integration with Google WorkspaceCopied!

This guide provides a step-by-step process for integrating Locktera with Google Workspace to enable Single Sign-On (SSO) and user provisioning using SCIM (System for Cross-domain Identity Management). With this integration, organizations can leverage Google Workspace for seamless user authentication and synchronization of user accounts in Locktera.

Table of Contents

  1. Prerequisites

  2. Integration Overview

  3. Step-by-Step Integration Process

    1. Step 1: Configure SAML SSO for Locktera in Google Workspace

    2. Step 2: Enable SSO in Locktera

    3. Step 3: Enable SCIM Provisioning in Locktera

    4. Step 4: Configure SCIM User Provisioning with Google Directory Sync

  4. Testing the Integration

  5. Troubleshooting

  6. FAQs

Prerequisites

Before you begin, make sure that you have the following:

  • Google Workspace admin account with access to configure SAML applications and manage user attributes.

  • A Locktera admin account with access to configure SSO and user provisioning.

  • SCIM provisioning is available in your Locktera subscription.

  • Users to be synchronized between Google Workspace and Locktera.

Integration Overview

By integrating Locktera with Google Workspace, you can enable:

  1. Single Sign-On (SSO): Users will be able to log in to Locktera using their Google Workspace credentials.

  2. SCIM User Provisioning: Google Workspace will automatically manage user accounts in Locktera by creating, updating, and deactivating users via SCIM.

Step-by-Step Integration Process

Step 1: Configure SAML SSO for Locktera in Google Workspace

  1. Log in to the Google Admin Console (admin.google.com).

  2. Navigate to Apps > Web and mobile apps.

  3. Click on the + Add App button and select Add custom SAML app.

  4. In the App Details section:

    • App name: Enter "Locktera".

    • App description: (Optional) Enter a description for the app.

    • Upload a logo for Locktera (optional).

  5. Click Continue to proceed to the Google IdP Information section.

  6. Download the IdP metadata file or copy the SSO URL, Entity ID, and Certificate. You will need this information later to configure Locktera.

  7. Click Continue and proceed to the Service Provider Details section.

  8. Configure the following settings:

    • ACS URL (Assertion Consumer Service URL): This is the URL where Locktera expects SAML responses (e.g., https://locktera.com/saml/acs).

    • Entity ID (SP Entity ID): The unique identifier for Locktera's SAML service (e.g., https://locktera.com/saml/metadata).

    • Name ID Format: Set this to EMAIL.

    • Name ID: Set this to Primary email.

  9. Click Continue and proceed to the Attribute Mapping section:

    • Add the following user attribute mappings as needed:

      • First Name → firstName

      • Last Name → lastName

      • Email → email

  10. Click Finish to complete the SAML configuration in Google Workspace.

Step 2: Enable SSO in Locktera

  1. Log in to the Locktera Admin Portal.

  2. Navigate to Settings > Integrations and select Single Sign-On (SSO).

  3. Select SAML as the SSO method and provide the following details:

    • SSO URL: Paste the SSO URL from Google Workspace.

    • Entity ID: Enter the Entity ID from Google Workspace.

    • X.509 Certificate: Paste the certificate from Google Workspace.

  4. Save the configuration.

  5. Ensure SSO is enabled for your organization.

Step 3: Enable SCIM Provisioning in Locktera

  1. In the Locktera Admin Portal, navigate to Settings > Integrations.

  2. Enable SCIM Provisioning and retrieve the following details:

    • SCIM Base URL: The URL where Locktera accepts SCIM provisioning requests (e.g., https://locktera.com/scim/v2).

    • SCIM Bearer Token: This token will be used for authentication between Google Workspace and Locktera.

  3. Save these details for configuring SCIM in Google Directory Sync.

Step 4: Configure SCIM User Provisioning with Google Directory Sync

Since Google Workspace does not have native SCIM provisioning capabilities, you will need to use a third-party tool (such as Google Cloud Directory Sync or Okta if applicable) to synchronize users between Google Workspace and Locktera.

  1. Set up Google Cloud Directory Sync (GCDS) or another third-party tool to sync your user directory with Locktera.

  2. In the provisioning tool, configure the SCIM connection using the SCIM Base URL and SCIM Bearer Tokenobtained from Locktera.

  3. Define the user attributes that will be synchronized from Google Workspace to Locktera (e.g., email, firstName, lastName).

  4. Enable automatic provisioning and de-provisioning of users in Locktera based on changes in Google Workspace.

  5. Test the connection to ensure that users are synced successfully.

Testing the Integration

Testing SSO

  1. Assign the Locktera SSO application to a user in Google Workspace.

  2. Log in to Google Workspace as the assigned user and navigate to the Google Apps Dashboard.

  3. Click on the Locktera application icon.

  4. Verify that the user is logged into Locktera without entering additional credentials.

Testing SCIM Provisioning

  1. In Google Workspace, add a new user or group and assign them to the Locktera app.

  2. Verify that the user is automatically provisioned in the Locktera Admin Portal.

  3. Update a user’s details in Google Workspace (e.g., name, email) and confirm that the changes are reflected in Locktera.

  4. Remove a user from the Locktera app in Google Workspace and verify that the user is deactivated or removed in Locktera.

Troubleshooting

  • SSO Authentication Errors: Double-check the SSO URL, Entity ID, and Certificate configurations in both Locktera and Google Workspace.

  • SCIM Provisioning Failures: Ensure the SCIM Base URL and Bearer Token are correct, and review logs in both Locktera and the provisioning tool for errors.

  • User Sync Delays: SCIM provisioning can take several minutes. If syncing is delayed, check the provisioning tool logs for status updates.

FAQs

Q: Does Google Workspace support SCIM provisioning directly?
A: No, Google Workspace does not natively support SCIM provisioning. You will need to use a third-party tool like Google Cloud Directory Sync (GCDS) or an identity provider like Okta to enable SCIM synchronization with Locktera.

Q: Can I sync custom attributes between Google Workspace and Locktera?
A: Yes, custom attributes can be mapped during the provisioning process using a third-party SCIM integration tool.

Q: How often does user provisioning sync occur?
A: Sync intervals depend on the third-party SCIM integration tool you're using. You can typically schedule regular syncs or trigger manual synchronization.

Conclusion

By integrating Locktera with Google Workspace, you can simplify user authentication and management. Users can securely access Locktera using their Google Workspace credentials through SAML-based SSO, and user accounts can be automatically provisioned, updated, and deactivated using SCIM with the help of third-party tools.