Configuring WPA2-Enterprise With Google Workspace SAML Authentication

Effectively identifying and segmenting network users is vital to network security and a boost to the overall user experience. Combining certificate authentication with SAML in Google Workspace will seamlessly segment users as they enroll for network access.

During the configuration process, admins can assign attributes to your network users that denote user groups within your organization. Based on the user’s role, seniority, job function, or countless other factors, you can distribute countless use policies and network settings. The customization can be as simple or complex as required.

As a result, network users enroll once for network access and are authorized for the life of their certificate. IT is provided comprehensive visibility context concerning who is connected to the network and what they are browsing. For accurate reporting and a network organized around your policies, turn to certificate solutions for Google Workspace SAML.

Integration Process Overview

  1. Add the SAML Identity Provider to SecureW2
  2. Configure the SAML IDP in Google Admin Console
    • The SAML Identity Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
  3. Configure Attribute Mapping
    • Set specific attributes to segment the network into groups based on their identity within the organization.
  4. Configure Network Policies to be Distributed
    • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments are able to access.


Creating an Identity Provider in SecureW2

  1. In the Identity Management Section, click on the Identity Provider
  2. Click Add Identity Provider and fill the Name and Description sections
  3. In the Type section, enter SAML and click Save


Creating a SAML Application in Google Workspace

  1. Login to Google Admin Console
  2. Click Apps and select SAML Apps
  3. A yellow circle will appear in the bottom right corner (when you hover over it, you will read Enable SSO for a SAML Application), click on it
  4. Click Set Up My Own Custom App
  5. Download the IDP metadata
    1. We will add the metadata from Google Workspace

Downloading metadata from Google Apps

  1. Navigate to the Identity Provider SecureW2 page, and click on the Configuration tab
  2. Under Identity Provider (IDP) Info, click Choose File
  3. Choose the downloaded metadata file, and then click Upload and then Update
  4. Navigate to the Google SAML App Setup
  5. Enter the basic information for your app in step 3 (Application Name, Description) and then click Next
  6. Step 4 requires an ACS URL and EntityId from the SecureW2 Management Portal
  7. Navigate back to the SW2 Management Portal and copy the ACS URL and EntityId from the Identity Provider section, and paste it into the Service Provider Details of the Google SAML App Setup
  8. Check the box for Signed Response in the Google Admin page, click Next and Finish

Connecting the Identity Provider with Google Apps

Configure Custom Attribute Mapping Settings

By using Attribute Mapping, you are able to organize network users into different groups and adjust particular settings based on the type of user. For example, you could set different settings for students and teachers in a school, such as how many devices they can use to access the network and how long the certificate on their device will remain valid.

  1. In the Google Admin Page, scroll down to Attribute Mapping
  2. Click on Add New Mapping to configure the attributes you will encode into the certificate
    • In your directory, you’ll likely have a name and an email
  3. In the Enter the Application Attribute section, enter name
  4. In the Select Category section, choose Basic Information
  5. In the Select User Field section, choose First Name and click Save
  6. Click Add New Mapping again
  7. In the Enter the Application Attribute section, enter email
  8. In the Select Category section, choose Basic Information
  9. In the Select User Field section, choose Primary Email and click Save

Adding new fields to the attribute mapping.

While you can have any attribute inserted into the certificate, we officially recommend using the attributes emaildisplayName, and upn. These attributes will give you all you need to tie users and devices to their network connection and use group-based policies to configure network settings. Here is how to get these attributes setup:

  1. Navigate to the SecureW2 Management Portal, and go to the Attribute Mapping tab and click Add
  2. In the Local Attribute field, type email
  3. In the Remote Attribute field, select USER_DEFINED and type email into the dialog box that appears and click Next and then click Add
  4. In the Local Attribute field, type displayName
  5. In the Remote Attribute field, select USER_DEFINED and type name into the dialog box that appears and click Next and then click Add
  6. In the Local Attribute field, type upn
  7. In the Remote Attribute field, select USER_DEFINED and type email into the dialog box that appears and click Next and then click Update

The attributes are now connected and you can view them in the certificate.

Viewing attributes in the certificates


Configure WPA2-Enterprise Network Policy Settings

Policies can be used effectively to apply unique network settings to different user groups. In this setup guide, we will be configuring the policies to use Google Workspace as our identity provider and link to a Network Profile.

  1. Go to Getting Started, enter your SSID name in the SSID field and ensure that EAP Method is set to EAP-TLS and click Create
    • This configuration will take approximately 60-90 seconds
  2. Under Policy Management, click Authentication
  3. Click Edit next to your network
    • Under Conditions, be sure your network is selected
    • In Settings, be sure to select the identity provider you created earlier in this process
  4. Click Update and under Policy Management, click User Roles
  5. Click Edit on the Default Role Policy that was created
  6. Under Conditions, select the Identity Provider that was created in the Identity Provider Dropdown, then click Update

The connection of the SecureW2 network and a Google Workspace SAML application create solutions for network administrators by achieving the goal of easily connecting users to the network and offering a higher level of control. Users have to complete the onboarding process once for uninterrupted connection, whereas in the past it would be a manual effort that would divert countless resources. Administrators can also differentiate between groups and ensure that everyone in the organization has access to the connections they need.

If you’re interested in learning more about the advantages your IT department can experience, contact us and we’d be happy to set up a free trial. Or click here to get a pricing estimate for this cost-effective solution.

Google and Google Workspace are either registered trademarks or trademarks of Google, Inc. in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.