Google Workspace Security Part 2: SSO, API Access, Managing Connected Apps and the Alert Center

Preamble:
This space will be utilized to synthesize my notes and help improve my learning process while I study for the Google Workspace Professional Administrator certification. I will be doing a similar process for other certifications I work on in the future. Please follow along for Google Workspace notes and feel free to ask any questions or, if I get something wrong, offer suggestions to correct any mistakes.

Setup SSO with Google as an identity provider

Google Workspace supports SSO (Single-Sing On) as the Identity Provider (IdP) using SAML. This allows users to use their managed Google account to sign into enterprise cloud applications. You can configure SSO with Google Workspace either using over 200 third-party pre-integrated cloud applications as your service provider or you can set up your own custom SAML with enterprise cloud services with Google as the IdP.

If you are setting up SSO for SAML applications please note the settings in the following section:

Security> Overview> Set up Sign sign-on (SSO) fo SAML Applications:

You will see an SSO URL and Entity ID. These will be needed by the Service Provider (SP) as well as the Google Certificate that is found on this page. The certificate is used to establish trust between Google and the SP.

To find a Service Provider that has instructions on how to setup Google Workspace as its IdP go to Apps> Web and Mobile Apps> Add App> Search for Apps

From here you can locate a pre-integrated app or set up your own custom app. After you find an an SP simply go through its configuration. You will require the information we found in the previous step, SSO URL, Entity ID and certificates.

Note:
Instead of copying the URLs and downloading the certificate file you can download the'IDP metadata' file. This is an XML file that contains both URLs and the certificate bundled into
one file

Make sure to test SSO after you have completed its configuration on your Service Provider. Log out of your account (or test account) and then re-login. You should be taken to the SSO login page if it was configured correctly.

Some services allow you to do user provisioning which allows the service to sync with your Google Workspace Directory.

Setup SSO with a third party identity provider

SSO for Google Workspace can also be setup with a third-party IdP. This means that your users will be redirected to a different provider to complete their login when trying to access their Google Workspace account. Examples of third party IdPs are:

1. Duo
2. Okta
3. Microsoft ADDS/EntraID

You can access these settings by going to:

Security> Authentication> SSO with Third-party IdPs> Add SAML Profile

You will need the following information from your third-party IdP:

1. Sign-in page URL
2. Sign-out page URL
3. SAML key/verification certificate in x.509 format.

NOTE:
You can add Network Masks to determine which addresses will be affected by SSO. This can be useful when you are testing your SSO integration. If no Netmask is configured, SSO will be applied to the entire network.

When using a third-party IdP the “Require password change” option for your users in the Admin Panel will be disabled

Only Chrome can verify that the certificate you upload is valid. Other browsers will not work.

Administrators signing into admin.google.com are not redirected to the SSO whether they are within or outside the network mask.

Add an LDAP client to Google Workspace

Secure LDAP service provides a simple and secure way to connect your LDAP-based (Active Directory) services to Cloud Identity or Google Workspace accounts which allows you to use these accounts as a cloud-based LDAP server for authentication, authorization and directory lookups.

Here is a great walkthrough of all of the features of Secure LDAP:

https://www.youtube.com/watch?v=-B5xf3qkLRA

When configuring Secure LDAP for an application, you can choose to allow access to the entire Organization or specific OUs to verify user credentials, read user information etc.

Please note that Secure LDAP is available to Enterprise and Cloud Identity Premium subscribers.

Admin SDK API Access

Google Workspace has many APIs that allow third-party applications to interact with Google Workspace services like Gmail, Drive, Calendar etc. These applications can either be other cloud-based applications or on-prem apps to sync contacts from a local database. For Google Workspace Admins there is the Admin SDK API. This will allow developers to interact with the Admin console to access objects like Users, groups, OUs etc.

It is recommended to restrict access to this API if you do not have any applications using it. To disable the API follow the steps below:

1. Go to Security> Access and Data Control> API controls> Manage Google Services
2. Find the Google Workspace Admin service and click Change Access
3. Select Restricted

Manage connected apps

Before an application can gain access to a managed Google Workspace account the application must request access to the data it requires and the user must grant this access. This is completed during the application install and the flow of this access granting is known as the 3-legged authorization (3LO). Once authorization has been approved the application receives a token that it uses to access the users account. These tokens are called OAuth 2.0 tokens.

As a Google Workspace Administrator you are able to restrict access to specific API access. You can also create a trusted list of applications that can access disabled APIs. You can do the following steps in order to block API access to all applications except for a single application that you trust or apps that are made internally by your organization.

1. Go to Security> Access and data controls> API Controls
2. In the Settings section, make sure “Trust Internal Apps” is selected

1. Go to Manage Third-Party App Access
2. Click Configure New App and search for Calendar Sync
3. Find the app you are looking for and click on it. I selected “Sync for iCloud Calendar” for Android.
4. For scopes, select either your entire Organization or the OU. Click Continue

1. Select Trusted and click continue and then finish.

You can now go back to the API Controls page and click Manage Google Services, hover over Calendar and click Change Access. Select Restricted. This will make it so only Trusted Apps can access these APIs.

NOTE After blocking the API any applications that are already installed that are not trusted will cease to work. Be careful when restricting access to APIs that may already be in use.

The Google Workspace Marketplace

The Google Workspace Marketplace offers a wide variety of enterprise apps that can add functionality to you Workspace tenant. As the admin of your Google Workspace tenant you can install apps for your users as well as authorize which apps users have the ability to install. Once a new app is installed it will appear in the App Launcher with all other Google Workspace Applications.

You can install applications for your users in your whole organization by using the following steps:

1. Go to Apps> Google Workspace Marketplace Apps> App list and then click Install App.
2. Locate the App that you wish to install. I use Lucidchart.
3. For a Domain wide installation, click Admin Install. Please note that it can take up to 24 hours for a marketplace app to install domain wide and for your users to have access to it.
4. You will then see the list of permissions/APIs that the third-party marketplace app will require. Scroll to the bottom and select Everyone at your Organization. Click to agree to the ToS and then finish.

NOTE You can also choose to install to specific OUs or groups.

An alternative solution instead of installing apps for your users directly would be to utilize the Allowlist of apps for Marketplace applications. This can be done by

1. Go to Apps> Marketplace Apps> Click on Allowlist App
2. Search for your app and click select
3. Click the option to either allow users to install the app or block users.
4. Select the from the following options for allowing/blocking app installs:
   1. Everyone
   2. Specific Groups
   3. Specific OUs
5. Click finish

NOTE Creating an allowlist does NOT uninstall previously installed apps from a user’s device.

The Alert Center

Google Workspace has a robust Alert Center to help you navigate any potential issues with your domain. To access the Alert Center simply go to Security> Alert Center. You can alter Alert notifications here by going to Manager Alerts and Email Notifications. This will open up the Rules section of the Admin Panel like we explored previously. You can then change how/what you will want to be alerted about.

User activity reports

The user activity report give you a consolidated view of user status and account activity. From here you can view user account status, admin status and 2SV verification enrollment reports.

If you’re interested in viewing Google’s recommended security settings for medium to large business please see the follow Google Help Article:

https://support.google.com/a/answer/7587183

And with that this concludes Part 2 of the Google Workspace Security portion of the Workspace Professional Administrator exam. Thanks for coming on the journey with me. As mentioned above, if you have any questions for me or if I made a mistake, please leave me a comment and I would love to correct it or answer your question.