Google Workspace, SAML Authentication and Passwordstate

Last week’s blog was all about SAML2 Authentication with Microsoft Azure. Keeping to a like theme, this week we’ll concentrate on setting up SAML Authentication for Google Workspace (formerly G Suite) and Passwordstate.

Google Workspace provides email and collaboration tools similar in basic function to Microsoft 365 (formerly Office 365). In order to use SAML2 authentication, in Passwordstate with Workspace, you’ll need to specify the settings obtained within the ‘Service/App’ configured within Workspace. The following is a summary of settings that are required;

  • Specify the Certificate Type – either SHA1 or SHA256
  • Details of your X.509 Certificate
  • The IDP Target URL
  • The IDP Issuer URL
  • Audience Restriction

As with the Azure Blog, the terminology isn’t always consistent between SAML2 Providers so you should use the table below to map the Passwordstate SAML2 Authentication Settings to the information provided by Workspace,

Passwordstate Field Workspace Supplied Fields
Audience Restriction Service Provider Entity ID
‘Your Passwordstate URL’/logins/saml/default.aspx ACS URL
‘Your Passwordstate URL’ Service Provider Entity ID
UserID or Email or UserPrincipleName Email
X.509 Certificate (SHA256) Certificate
IDP Target URL SSO URL
IDP Issuer URL Entity ID

Note in the above table ‘Your Passwordstate URL’ is the URL of your Passwordstate Instance. In the examples used in this blog ‘Your Passwordstate URL’ is this time https://passwordstate8.halox.net

Create a Service/App for SAML

In these examples we’re going to configure Passwordstate for SAML Authentication and Single Sign-On with Workspace. First you’ll need to login to your Google Admin Console and click on the Apps icon as per the screen shot below,

then select SAML Apps,


and click on Add a service/App to your domain,


this will take you to Step 1 Enable SSO for SAML Application. Click on SETUP MY OWN CUSTOM APP,


Step 2 Google IdP Information will appear and prepopulate your SSO URL and Entity ID fields for you. Click on NEXT.


this will take you to Step 3 Basic information for your Custom App. Provide an Application Name, in our example Passwordstate, and click NEXT,


on Step 4 Service Provider Details, enter your ACS URL and Service Provider
Entity ID (refer to the table at the beginning of this Blog entry) and ensure Name ID, Primary Email and Name ID Format are selected as per the image below and the click NEXT,


on Step 5 Attribute Mapping click FINISH.


Next, you’ll need to turn this on for everyone by clicking on View details,


and selecting On for everyone, then clicking SAVE,


Download your Passwordstate SAML Metadata

You’ve now created the SAML settings for the Service/App Passwordstate. By clicking on DOWNLOAD METADATA you’ll have access to all the required details¬† that are required to configure Passwordstate’s SAML2 section,


this will open a dialog enabling you to either, 1: Download IdP metadata, or 2: Copy the SSO URL, Entity ID, and Certificate,


Configure the Passwordstate SAML2 Authentication Settings

To configure your Passwordstate SAML2 Authentication you’ll need to login to Passwordstate and navigate to Administration->System Settings->authentication options. From here you’ll need to set your Web Authentication Options to SAML2 Authentication, and under Primary Site’s SAML2 Authentication Settings enter the details as per the screen snapshot above,


Note we’ve selected to use Email Address, or EMAIL in the Workspace settings as the unique identifier. You’ll need to copy the Certificate from downloaded file or Download metadata screen, ensuring you copy the entire contents into the X.509 Certificate field (including the Begin Certificate and End Certificate lines). The IDP Target URL:, IDP Issuer URL: and Audience Restriction: are all as per the Workspace information (again use the table at the beginning to map the SAML settings). When finished click on the Save & Close button at the bottom of the screen.

Authentication via Workspace SAML

Now you should be able to log out of Passwordstate, and on browsing to your Passwordstate URL be directed to the Google Choose an account and Enter your password challenge screens. Once you’ve logged into Google Workspace Passwordstate should open up as normal.

We hope this helps with Google Workspace and authenticating to Passwordstate using SAML. Please send any comments or feedback to  support@clickstudios.com.au

Speak Your Mind

*