This article describes how to integrate RSA Cloud Authentication Service with Google Workspace (formerly G Suite) using SAML IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as IDR SSO to Google Workspace.
Procedure

1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog. 
2. Search for G Suite and click Add to add the connector.                                                                                                                                     
3. On the Basic Information page, choose Identity Router.
4. Enter the name for the application in the Name field and click Next Step.                                                                                                       
5. On the Connection Profile page, choose IdP-initiated and enter Connection URL in the following format: https://mail.google.com/a/%DOMAIN% - replace %DOMAIN% with the domain name of your Workspace connected domain.                
6. In the Identity Provider section, perform the following sub-steps:
   1. Make a note of the Identity Provider URL that is required in the Workspace configuration.                                                      
   2. Under Identity Provider Entity ID, click the Override option and enter https://www.opensaml.org/IDP in the text field.                
   3. Import a private/public key pair to sign and validate SAML assertions. If a key is unavailable, follow the sub-steps to generate a certificate bundle. Otherwise, continue to the next step.
      1. Click Generate Certificate Bundle in the SAML Response Signature section.
      2. Enter a common name for your Identity Router domain in the Common Name (CN) field.
      3. Click Generate and Download, save the certificate bundle zip file to a secure location, and extract its contents. The zip file contains a private key, a public certificate, and a certificate signing request.                                                                             
7. Fill in the Service Provider section details in the following format:
   1. In the Assertion Consumer Service (ACS) URL and Audience (Service Provider Entity ID) fields, enter the URL in this format:  https://www.google.com/a/%DOMAIN%/acs - replace %DOMAIN% with the domain name of your Workspace connected domain.   
8. In the User Identity section, select Email Address in the Identifier Type drop-down list, select the name of your user Identity Source, and select the Property value as mail.                                                                                                                                                     
9. On the User Access page, select the access policy that the identity router will use to determine which users can access the Workspace service provider.
10. Click Next Step.                                                                                                                                                                                              
11. On the Portal Display page, configure the portal display and other settings.                                                                                              
12. Click Save and Finish. 
13. Click Publish Changes and wait for the operation to complete.

Configure Google Workspace