SAML - Google G Suite

KACE Cloud MDM subscribers can use Google G Suite when setting up single sign-on (SSO). Configuring SSO to use Google G Suite lets users sign in to KACE Cloud using their managed Google account credentials.

Tip: To set up an identity provider protocol using SAML and Google G Suite, open both KACE Cloud MDM and your Google Admin console.


Step 1: Set up Google as a SAML identity provider.

In Google Admin Console:

  1. Sign in to your Google Admin console using your administrator account.
    • This account does not end in @gmail.com.
    • You must sign in with a Google account that is a super administrator.
  2. From the Admin console home page, go to Apps > SAML apps.
  3. Click Add + at bottom right of page.
  4. Click Set up my own custom app.
    • The Google IDP Information window will open and the SSO URL and Entity ID fields will be automatically populated.
  5. Download the IDP Metadata file.
    • You will use this as setup information in KACE Cloud MDM.
  6. Click Next.

Step 2: Set up KACE Cloud to use Google for single sign-on.

  1. Open a new incognito browser window and sign into to your KACE Cloud tenant admin portal https://{your site}.kacecloud.com.
    • The KACE Cloud account you are using must have the System Admin role.
  2. Select the Settings tab in top navigation.
  3. Choose Single Sign-On in left navigation.
  4. Click SAML v2.0.
  5. Copy the Redirect URL to configure identity provider.
  6. Import the IDP metadata file from Google:
    • Select the Import from File tab.
    • Click the Choose File button then locate the IDP metadata file that was downloaded from Google.
    • Click Import.

Confirm user attribute mappings:

Once the import from the previous step is done, in the User Attribute Mappings section, add the following mappings:

Attribute Name
First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Primary Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Enable Single Sign-on:

  1. Open a new incognito window or private browser to ensure login data is clear.
  2. Go to the KACE Cloud portal but do not log in.
  3. Follow the Single Sign-On workflow using the customizable button.
  4. Warning: Before checking the 'Immediately redirect to identity provider' box, it's important to test the success of single sign-on setup.

Step 3: Configure and Enable Google Custom SAML app.

In the Google Admin Console:

  1. Add an application name and description.
    • (Optional) Upload a PNG or GIF file to serve as an icon for your custom app. The icon image should be 256 pixels square.
  2. Click Next.

  3. In the Service Provider Details window, enter an ACS URL, Entity ID, and Start URL (if needed) for your KACE Cloud tenant as follows:
    1. ACS URL - Paste the 'redirect URI' that was copied from the KACE Cloud MDM console in Step 2.
    2. Entity ID - Paste the same 'redirect URI' that was copied from the KACE Cloud MDM console in step 2, but delete [/broker/heliumsso/endpoint] from the end.
    3. Name ID Format - Set to Persistent.

4. Click Next.

On the Attribute Mapping page:

Set the Select category and Select user field values as follows for the listed attributes:

Application attribute Select category Select user field
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Basic Information First Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Basic Information Last Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn Basic Information Primary Email
  • Click Finish.

On the app dashboard:

  1. Select the app you just created.
  2. Click the Edit Service button.

To turn on or off a service for everyone in your organization:

  • Click On for everyone or Off for everyone.
  • Click Save.

To turn on or off a service only for users in an organizational unit:

  • At the left, select the organizational unit.
  • Select On or Off.

If the organization's status is already overridden, choose an option:

  • Inherit: Reverts to the same setting as its parent.
  • Save: Saves your new setting (even if the parent setting changes).

Use access groups to turn on a service for specific users within or across your organizational units.

  • Click Finish.

Step 4: Verify that SSO is working.

  1. Close all browser windows.
  2. Open your KACE Cloud tenant admin portal (https://{your tenant}.kacecloud.com), then click the Single Sign-On button.
    • You should be automatically redirected to the Google sign-in page.
  3. Enter your credentials.
  4. After your credentials are authenticated, you will be automatically redirected back to the Users landing page in KACE Cloud MDM.