Google Integration

Customer IT / SpaceIQ Onboarding Team

 

SiQ supports integration with the Google identity management system. This details how to configure the Google integration for SiQ.

Note: It is not possible to import (or pull) new users or profile updates from within SiQ. The information must be pushed from Google. 

Contents

Prerequisites

  • You will need Google with super administration privileges to complete this integration and for the SiQ setup, you must have a SiQ Admin or an IT role.

Note: The steps for Google in this document are based on the official documentation from Google, found within this URL

Set up SSO using SAML for SiQ

This section describes how to set up SSO using SAML (Security Assertion Markup Language) (SAML), so your users can use their Google Cloud credentials to sign in to SiQ app.

Step 1. Find the Google Identity Provider (IdP) information

From the Google Admin Console, complete the following:

  1. Sign in to admin.google.com as an Administrator.
  2. From the Admin console Home page, navigate to Apps > Web and mobile apps.

  3. Click the Add app > Search for apps.

  4. In the Search field, enter SiQ.

  5. In the search results, hover over the SiQ SAML app and click Select.

sso_google1.png

From the Google Identity Provider details screen:

  1. From the SSO URL field, copy the SSO URL and then paste this into the SiQ Web - Google Integration's SAML Identity Provider Issurer field.
  2. Copy and save the Entity ID.
  3. Download the Certificate.

Leave the Admin console open.

Step 2. Active the Google Integration in SiQ

From the SiQ Web App, complete the following:

  1. Click your Profile Name in the top right corner.
  2. Click Settings. The Settings screen displays.
  3. From the left menu, click Integrations.
  4. From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.

You can either search for Google in the Search field or navigate to the Google tile. To navigate complete the following:

  1. From the left menu, click Provisioning & SSO.
  2. For Google, click the Activate button.

The Google dialog displays and contains the Provisioning tab and the SSO tab.

3. Click the SSO tab.

sso1.png

4. In the x.509 Certificate field, paste the certificate you downloaded in Step 1.
5. From the SAML Entity ID URI field, copy and save the SAML Entity ID Url, which contains your unique SiQ ID. You'll need this URL when you finish configuration in the Admin console in the next step.

Step 3. Complete the SSO Configuration in Google

From the Google Admin Console, complete the following:

  1. In the Google Identity Provider details screen, click the Continue button.
  2. On the Service provider details screen, replace the default ACS URL with the SAML Entity ID Url you copied from Step 2.
  3. Click the Continue button. Note: Attribute mapping is not required for SiQ.
  4. On the Attribute mapping screen, click the Finish button.

Step 4. Enable the SiQ app in Google

From the Google Admin Console, complete the following:

  1. From the Admin console Home page, navigate to Apps > Web and mobile apps.
  2. Open the SiQ app.
  3. Click User access.
  4. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click the Save button.
  5. (Optional) To turn a service on or off for an organizational unit:
    1. At the left, select the organizational unit.
    2. Select On or Off.
    3. Click Override to keep your setting if the service for the parent organizational unit is changed.
    4. If Overridden is already set for the organizational unit, choose an option:
      • Inherit - Reverts to the same setting as its parent.
      • Save - Saves your new setting (even if the parent setting changes).
  6. (Optional) Turn on the service for a group of users, use access groups to turn on a service for specific users within or across your organizational units.
  7. Ensure that your SiQ user account email IDs match those in your Google domain.

Step 5. Test that the SSO is Working

Note: SpaceIQ only supports IdP initiated SSO. You can’t use SSO if you sign in directly to SpaceIQ.

From the Google Admin Console, complete the following:

  1. From the Admin console Home page, navigate to Apps > Web and mobile apps.
  2. Open the SiQ application.
  3. At the top left, click Test SAML login.
  4. SiQ should open in a separate tab. You will be automatically redirected to your SiQ account.

If it doesn’t, use the information in the resulting SAML error messages to update your IdP and SP settings as needed, then retest SAML login.

Configure the SiQ auto-provisioning

This section describes how to set up automated user provisioning for the SiQ app. Afterward, you can then authorize, create, modify, or delete a user's identity in Google Workspace. Any changes are also reflected in the SiQ app.

Step 6. Copy SiQ SCIM Bearer Token

After you have set up the SSO, you can complete the configuration for the automated user provisioning.

From the SiQ Web app complete the following:

  1. Click the Provisioning tab.

google_provisioning_tab.png

2. From the SCIM BearerToken field, copy and save the token to a secure location for later use.

Step 7. Set up auto-provisioning for the SiQ application in Google

From the Google Admin Console, complete the following:

  1. From the Admin console Home page, navigate to Apps > Web and mobile apps.
  2. Open the SiQ application.
  3. In the Auto-provisioning section, click Configure auto-provisioning.
  4. Enter the token you copied from SiQ from Step 6.
  5. Click the Continue button.
  6. Verify that all mandatory SIQ attributes (those marked with an *) are mapped to Google Cloud Directory attributes. If not, click the Down arrow and map to the appropriate attribute.
  7. Click the Continue button.
  8. (Optional) Restrict provisioning to specific groups:
    1. In the Search groups field, enter all or part of the group name. A list of available groups displays. Select a group to add it and open a new search field.
    2. If necessary, add more groups and choose a scope.
    3. To remove any group you added, click the X icon next to it.
  9. When complete then click the Continue button.
  10. Choose how long deprovisioning actions will be delayed before taking effect. The amount of time before deprovisioning takes effect can be set to: within 24 hours or after one, 7, or 21 days. Tip: Always set more time before hard deleting a user's account than for suspending a user's account. Select at least one of these options:
    • When an app is turned off for the user, hard delete their account after [number of days].
    • When a user is suspended on Google, hard delete their account after [number of days].
    • When a user is deleted from Google, hard delete their account after [number of days].
  11. Click the Finish button.
  12. In the Auto-provisioning section, click the activation sliderNote: The activation slider is disabled if SiQ isn’t turned on for any users. Click User access and turn the app on to enable the slider.
  13. In the confirmation dialog box, click Turn on.

When provisioning is on, Google starts collecting usage information. You'll see the usage information in the Auto-provisioning section. There will not be any numbers next to the event names until you enable provisioning. The following event names provide the usage information for the last 30 days:

  • Users created
  • Users suspended
  • Users deleted
  • Failures

Attribute Mappings from SiQ to a Google User Profile

The Google user profile can be set up with custom attributes. Some of these attributes are mapped to the Google user profile by default.

Custom Attributes

Google's SiQ application has been enhanced to support user-defined custom attributes, which enables Goolge to import more than 20 attributes to SiQ. These attributes will be created and mapped manually.

  1. These attributes must be created and mapping in Google, see Step 7 above.
  2. Then from SiQ define the custom fields name mapped to the SiQ app. From the Provisioning tab, in the Scim schema custom attributes field, enter the mapping code. For example,
{"CostCenter":"Cost_Center","Department":"department"}

Troubleshooting

User and Department Data

  • Users without a First Name or/and a Last Name in their SiQ profiles cannot be imported in as new users.
  • Google Users without a department will be created with a default department named “__No_Department__".
  • In the event that a department also has teams or sub-departments, SiQ will expect Organizations/Divisions to also contain Team/Sub-Department name.
    For example:

    Organization: Engineering, with Department: QA

Changed Admin Password for SiQ

If the admin password for SiQ has changed, automatic provisioning will stop working. In this case, the original authorization is revoked by SiQ, and you must reauthorize automatic provisioning.

From the Google Admin Console, complete the following:

  1. From the Admin console Home page, navigate to Apps > Web and mobile apps.
  2. Open the SiQ application.
  3. Click the Auto-provisioning section to open the settings screen.
  4. Under App authorization, click Reauthorize.
  5. Enter the token you copied from SiQ from Step 6 and then click Re-authorize. After reauthorization completes, you're returned to the Auto-provisioning settings screen in the Admin console.