← All controls

15 SSO/SAML to hardened IdP

Hands Workspace sign-in to an external identity provider over SAML or OIDC, so authentication policy — and its logging — lives in one place across all your SaaS. The break-glass admin (20 Break-glass admin + offline backup codes) stays on Google authentication as the fallback, and super admins always authenticate directly with Google — a fixed property of the newer SSO profiles (legacy SSO profiles can still let super admins sign in via SSO).

Caveats

Setup steps

  1. open ↗ Security › Authentication › SSO with third-party IdP

    SSO profile = <IdP name>; IdP entity ID, Sign-in page URL, Sign-out page URL, Change password URL, Certificate uploaded (up to two)

    Setting up SSO ↗

  2. Security › Authentication › SSO with third-party IdP › Manage SSO profile assignments
    OU <staff>
    <IdP profile>
    OU <break-glass>
    None (Google authentication)

    Setting up SSO ↗

  3. Security › Authentication › SSO with third-party IdP

    Super admins = Google sign-in (fixed behaviour of the newer SSO profiles; not guaranteed on the legacy profile); Google-side 2SV enforced for the admin OU

    Super administrator SSO ↗

  4. open ↗ Security › Authentication › 2-Step Verification
    2SV enforcement
    On for all non-federated OUs

    Deploy 2-Step Verification ↗ How 2-Step Verification works with third-party IdPs ↗

Ongoing maintenance

How to verify

  1. Sign in as a federated test user — the login must redirect to the IdP. Then sign in as the break-glass account — it must NOT redirect and must accept Google credentials.

v0.1.3Preventedition All (+IdP) policy #8 · #3 ↗