1. Articles
  2. My Account
  3. Identity and Access Management
  4. Single Sign-On

Articles in this section

Enabling Google Workspace SSO Connections with Your OVHcloud Account

Avatar
Stephanie Richards
  • Updated
Follow

Learn how to associate your OVHcloud account with an external Google Workspace service.

You can use Single Sign-On (SSO) to sign in to your OVHcloud account. To enable these connections, your account and Google Workspace accounts have to be using SAML (Security Assertion Markup Language) authentication.

 

Requirements

 

Instructions

In order for a service provider (i.e. your OVHcloud account) to establish an SSO connection with an identity provider (i.e. your Google Workspace service), the key is to establish a mutual trust relationship by registering the SSO connection in both services.

Registering OVHcloud into Google Workspace

Your Google Workspace acts as an identity provider. Requests to authenticate your OVHcloud account will only be accepted if you have first declared it as a trusted third party.

This means that it must be added as Web and mobile apps.

Log in to the Google Workspace administration interface with your administrator account.

Go to Apps then Web and mobile apps.

googlesso01.png

 

Click Add app then Add custom SAML app.

googlesso1b*.png

 

In the App details step, add a name for this interconnection, "OVHcloud" for example. Click Continue.

googlesso02.png

 

In the Google Identity Provider details step, download the metadata file by clicking Download metadata then click Continue.

googlesso3*.png

 

In the Service provider details step, complete the ACS URL and Entity ID fields with the following information:

  • ACS URL: https://us.ovhcloud.com/auth/ and
  • Entity ID: https://us.ovhcloud.com/auth/

Click Continue.

googlesso04*.png

 

In the Attribute mapping step, add the following mapping:

  • First Name: Name
  • Last Name: Surname
  • Primary email: E-mail Address

Click Finish.

googlesso05.png

 

Enable access to this application by clicking OFF for everyone in the "User access" section.

googlesso06.png

 

Click ON for everyone then the SAVE button.

googlesso07*.png

Adding application access to users can take several hours to take effect.

Your Google Workspace service now trusts OVHcloud as a service provider. The next step is to ensure that the OVHcloud account trusts your Google Workspace as an identity provider.

 

Registering Google Workspace into the OVHcloud account and configuring the connection

To add Google workspace as a trusted identity provider, you need to provide the identity provider metadata in the OVHcloud Control Panel.

Once logged in, click your profile at the top right.

googlesso08.png

 

Click on your name to access your profile management page.

Account-noSSO.png

 

Open the User Management tab.

googlesso10.png

 

Click the SSO connection button.

googlesso11.png

 

Fill in the XML metadata of your Google Workspace service. Enter Group in the Group attribute name box. Click Confirm.

googlesso12.png

 

Now you need to retrieve your Google Workspace as identity provider, as well as default groups.

googlesso13.png

 

For more information, click on the link under SSO Service URL.

googlesso14.png

 

The ... button allows you to update or delete the SSO, and view its details.

googlesso15.png

 

Your Google Workspace is now considered a trusted identity provider. However, you still need to add groups to your OVHcloud account.

NOTE: If you try to connect via SSO at this point, you will probably receive a Not in valid groups error message.

That is because your OVHcloud account checks whether the authenticating user belongs to an existing group on the account.

To resolve this, authorize the groups that will be transmitted from Google Workspace to OVHcloud. These groups are the same as those used to categorize your users.

To do this, log on to the Google Workspace administration interface with your administrator account.

Go to Apps then Web and mobile apps.

googlesso01.png

 

Click on the line for the application you added in the previous step.

googlesso17.png

 

Click SAML attribute mapping to edit the mapping of information shared between Google Workspace and OVHcloud.

googlesso18.png

 

In the Group membership (optional) section, add any groups that you want to allow to connect to OVHcloud. In the App attribute field, enter Group.

You must then assign roles to these user groups at OVHcloud. Otherwise, your OVHcloud account does not know what the user is allowed to do and, by default, no rights are assigned.

googlesso19.png

 

From the OVHcloud Control Panel, add a group by clicking the Declare a group button and filling in the fields:

  • Group name: Group name within Google Workspace
  • Role: Level of rights granted to this group

Then click Confirm.

googlesso20.png

googlesso21.png

 

You can then verify that the group is added to your OVHcloud account in the Groups section:

googlesso22.png

When you later log in with a user from the Intern group, your OVHcloud account will recognize that the user has the role "UNPRIVILEGED" specified by his group.

You will then be able to log out of your account and log back in with your Google Workspace as an identity provider.

 

Connecting via SSO

On the OVHcloud login page, enter your login followed by /idp without a password and click the Login button.

SSO Login.png

 

You are then redirected to your Google Workspace login page. Enter the login and password for a user of your Google Workspace, then click the Sign in button.

googlesso24.png

 

You are now logged in with the same customer ID but through your Google Workspace user.

managerSSO.png

 

Go further

For more information and tutorials, please see our other IAM support guides or explore the guides for other OVHcloud products and services.

Related articles