Skip to main content

Google Workspace

Frame supports Single Sign-On (SSO) with Google authentication through both OAuth2 and SAML2 integration options. The OAuth2 option is the easiest to setup and can be done in under a minute. The SAML2 option is also relatively quick and easy, but does require a few more steps.

Google Workspace OAuth2 SSO Integration

caution

Google Workspace OAuth2 SSO integration is supported only when users access Frame via a supported web browser. Google Workspace OAuth2 is not supported by Frame App (due to Google Sign-In not supporting Chromium Embedded Framework).

Configuring Google Workspace OAuth2

  1. If you would like to enable Google Workspace OAuth2 integration with Frame, you will first need to following the procedure outlined in Google's guide to Control which third-party & internal apps access Google Workspace data.
  2. On the Google Admin Console home page, go to Security > API controls.
  3. Under App access control, click on MANAGE THIRD-PARTY APP ACCESS.
  4. Click on “Configure new app” drop down menu and select OAuth App Name Or Client ID.
  5. Search for the Client ID 884836301137-76l5epasioe5sb3qvsp31obn45qk6t5i.apps.googleusercontent.com.
  6. Once you locate the Nutanix Frame app in the search results, click Select.
  7. Check the checkbox for the Nutanix Frame app with the Client ID 884836301137-76l5epasioe5sb3qvsp31obn45qk6t5i.apps.googleusercontent.com and then click SELECT.
  8. For App access, specify that this Nutanix Frame app is to be TRUSTED and click CONFIGURE.

Configuring Google OAuth2 in Frame

At the organization or customer level, click on the profile icon in the upper right corner of the screen and select Go to Admin. Navigate to the desired customer or organization, click on the ellipsis to the right of the entity name, and click Users.

Enable Users Setting

From the Authentication tab, enable the Google Authentication toggle listed. Click Save in the upper right corner.

Enable Google Setting

Click on the newly created Google tab listed below the Security tab. From there, click Add.

Google Tab

The Add Google authorization dialog window will appear:

Add Google authorization

From this window, you can specify individual email addresses or entire domains you wish to grant access to and their corresponding roles. For this example, we will give access to the domain mycompany.com. All users tied to this domain will be given “Launchpad User” access on the “Applications 2” Launchpad. Read more about permissions in the Manage User Permissions section of Frame documentation.

Example role settings using a domain

note

When specifying a Google Workspace domain, you must prefix the domain with the @ symbol, as shown above.

Click Add when you have finished specifying your emails/domains and roles.

Signing in with Google Workspace via OAuth2

You can now instruct your users to select the Sign in with Google option when accessing their Frame login page and enter their Google credentials.

Sign in with Google

They will be prompted to allow Nutanix Frame access to their Google Drive the first time they sign in. Then, once they connect to their Frame account, it will automatically connect to their Google Drive (no further clicks or authentication steps are required).

Nutanix Frame access prompt

That's it! Your users can now use Sign in with Google on your account via our OAuth2 integration option. If you prefer to set up your integration using SAML2, continue reading.

Google Workspace SAML2 Integration

note

Google Workspace SAML2 integration can only be set up by someone with a Super Admin role on a Google Workspace account. During this configuration process we will transition from the Google Workspace Admin console to the Nutanix console.

Getting Started

To begin, let's create a URL-friendly SAML2 Integration Name that we'll use in a few places throughout our setup. Continue below for help and examples that you can use in your SAML integration.

Integration Name examples for Google Workspace

Your SAML2 Integration Name is a case-sensitive, URL-friendly, unique, and descriptive value that represents the integration between your Google Workspace and Frame. This value can have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed.

We recommend using something that includes descriptive information, such as your company and identity provider's names. This integration name is tied to your SAML2 endpoints on Frame and using descriptive names can be useful for debugging.

Optionally, fill out the information below to get a recommendation of what you could use.







Using the values copied from above and following the steps below, we'll create and gather these details to configure proper communication between ADFS and Frame.

Google Admin Console

  1. Navigate and log in to to your Google Admin Console. Click on Apps and then Web and mobile apps.

    Web and mobile apps

  2. From the Apps Settings page, click Add App then Add custom SAML app from the drop-down.

    Add custom SAML app

  3. Enter “Nutanix Frame” for the App name and upload our logo icon below (right-click, save).

    App details

    Frame App Logo

    Frame Logo (right-click, save)

    Click Continue when ready.

  4. Click the Download Metadata button. Save this somewhere accessible for a later step in the Nutanix Console; this metadata tells Frame how to communicate with Google on Frame's behalf.

    Download metadata from Google

    Click Continue when ready.

  5. Next, we'll carefully enter values for ACS URL and Entity ID fields.

    • ACS (Assertion Consumer Service) URL: This is where Google will send assertions info (first name, last name, and email address) for authenticated users to Frame. Here, we'll enter the Frame ACS URL defined in the Getting Started section.

    • Entity ID: This field is also arbitrary and must be a URI, URN, or URL; this value is case-sensitive. Entity IDs are attached to event logs for Admin purposes and are required to match in both Google and Nutanix Console's settings to verify and identify each other via SAML2. For simplicity, we recommend using the Integration Name from the Getting Started section for this value. Copy the value you decide upon for use in later steps; Frame refers to the Entity ID in its SAML settings as “Application ID.”

  6. Next, we have the Start URL.

    The Start URL allows users to authenticate and navigate directly to Nutanix from Google's Workspace portal. This is often referred to as a “Identity Provider initiated login”. For most cases, the value for Start URL is simply a Launchpad or Account Dashboard URL to the account the user will have access to. If this field is left blank, your users can still log in to Nutanix with this Google App from the Nutanix Console's sign in page(s).

    tip

    Leaving this blank may be desired if you have many Frame Accounts for your users to access or "land on".

  7. Next, Ensure that the Name ID format field is set to PERSISTENT and the Name ID field is set to Basic Information > Primary email. Click Continue when ready.

    Service provider details

  8. Here, we need to configure mappings between user fields from Google to recognizable terms that the Nutanix is expecting to receive when users sign in. Fill it out exactly as pictured below:

    SAML Attribute mappings

    Click Finish when completed.

  9. You'll now be brought to the main page of your new Custom App. The last thing we need to do is enable user access, as the default setting for new Custom Apps is OFF for everyone. To enable access, click in the User Access section at the top of the page.

    Then, configure your user/group access and click SAVE. In our use-case, we wanted the service to be ON for everyone:

    Service Access for everyone

    That's it for the Google Admin portion of the setup – we're half way there! By this point you should have the following items needed to setup Nutanix Console as the SAML2 Service Provider:

    • Downloaded Metadata XML file
    • SAML2 Integration Name
    • Entity ID (later referenced as Application ID)

Configure SAML2 in Frame

  1. Open up a new tab and navigate to your Frame account. A SAML2 authentication integration can be configured at any level (depending on administrative access) by navigating to the Admin page and clicking on the ellipsis listed next to the desired entity name. Select Users from the menu that appears. In our example, we're integrating with Google Workspace on the Customer scope/level.

    Customers Example for Configuring User Access

  2. Under Authentication, enable the SAML2 toggle and click Save in the upper right corner.

    Enable SAML2 and Save

    More options will appear next to the Authentication tab, click on the SAML2 Providers tab.

  3. Click Add SAML2 Provider.

    Add a SAML2 Provider

  4. Next, we'll populate the fields to configure our SAML2 integration.

    SAML2 Identity Provider dialog example values

    • Application ID: The value here needs to match the value set as the "Entity ID" from Step 5.
    • Auth provider metadata: Click the “XML” option and paste the contents of the Metadata XML file from Step 4.
    • Integration Name: Paste your chosen value of Integration Name from the Getting Started section.
    • Custom Label: Optional. Allows Admins to customize Nutanix's Sign in page chiclets/buttons associated with this SAML2 integration.
    • Authentication token expiration: Choose a token expiration duration that supports your end-user workflows and complies with your security policies.
    • Enable “Signed assertion”

    Lastly, confirm that everything is entered correctly and click Add.

Configuring SAML2 Permissions

Once the SAML2 Provider is successfully configured in the Nutanix Console, administrators will need to add authorization rules from the SAML2 Permissions tab listed to the right of the SAML2 Provider tab.

Protect your Application with a Generic Service Provider

Add roles/permissions for your users by following our Roles and User Permissions with a SAML2 IdP guides.

Once you've configured permissions for your users, that's it! You're ready to test signing into Frame at your Entity URLs (Launchpad, Account Dashboard, etc.)!

Accessing Frame with Google Workspace

Your SAML integration will now appear to your users as a sign in button on your specific Frame Sign in Page.

Sign in with Google Workspace