The Google Workspace integration enables biometric passwordless authentication via SAML 2.0 using the 1Kosmos mobile app for all Workspace and Google Cloud applications.
Integration type
SSO
Overview
The Google Workspace integration enables biometric passwordless authentication via SAML 2.0 using the 1Kosmos mobile app for all Workspace and Google Cloud applications.
The configuration is performed in the Google Workspace Admin Console under Security → Authentication → SSO with third-party IdP (for Workspace accounts) or through Cloud Identity for GCP resource access.
Google Workspace functions as the SAML service provider in this integration. The admin creates a SAML SSO profile, enters the 1Kosmos IdP Entity ID, SSO URL, and signing certificate, and receives a unique ACS URL and Entity ID for the profile.
These SP values are then entered into AdminX. Once configured, the SSO profile can be assigned to specific organizational units or groups, allowing phased rollout of 1Kosmos biometric login across the organization.
Both SP-initiated and IdP-initiated SSO flows are supported. The integration covers Google Workspace (Gmail, Drive, Meet, Calendar, and other Workspace apps) and by extension GCP console access for users whose Google accounts are managed through Workspace or Cloud Identity.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Google Workspace or Cloud Identity account: Super administrator access to the Google Admin Console. SSO configuration requires the Security Settings administrator privilege.
User accounts in Google Workspace: Users must have Google Workspace or Cloud Identity accounts. Their email addresses must match the values sent in the 1Kosmos SAML assertion.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Google:
Field | Where to find it |
|---|---|
IdP Entity ID (IDP entity ID) | AdminX → Settings → IdP Configuration → Core Configuration |
Sign-in page URL (SSO URL) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key (upload as certificate file) |
Values generated by Google Admin Console (SP) for AdminX:
Field | Where to find it |
|---|---|
ACS URL (Entity Consumer Service URL) | Google Admin Console → Security → Authentication → SSO with third-party IdP → [profile] → SP Details section → ACS URL |
SP Entity ID | Same SP Details section → Entity ID |
Integration steps
Step 1: Create a SAML SSO profile in the Google Admin Console
Sign in to the Google Admin Console at admin.google.com as a super administrator.
Navigate to Security → Authentication → SSO with third-party IdP.
Click Add SAML profile and enter a profile name (e.g., "1Kosmos Biometric SSO").
In the IdP details section, enter the 1Kosmos IDP Entity ID in the IDP entity ID field, the 1Kosmos SSO URL in the Sign-in page URL field, and upload the 1Kosmos signing certificate.
Click Save. Google generates the ACS URL and Entity ID for this profile in the SP Details section. Copy both values for use in AdminX.
Step 2: Add Google Workspace as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Google Workspace" as the Application Name, set Instance to Production, and enter your Google Workspace domain URL as the Application Access URL. Click Next.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail. Add claims foremail(Username),firstname(firstName), andlastname(lastName). Click Next.Enter the Google SP Entity ID and ACS URL from the SP Details section. Enable Assertion signing and click Save.
Step 3: Assign the SSO profile to users or organizational units
Return to the Google Admin Console → Security → Authentication → SSO with third-party IdP.
Click Manage SSO profile assignments.
Select the organizational unit or group to which you want to assign the 1Kosmos SSO profile and select the profile from the dropdown.
Click Save. Changes may take up to 24 hours to propagate but typically occur within a few minutes.
Step 4: Test the integration
Open an incognito browser window and navigate to your Google Workspace sign-in page.
Enter a user email address that belongs to an organizational unit assigned to the 1Kosmos SSO profile.
Confirm you are redirected to 1Kosmos. Authenticate biometrically using the 1Kosmos mobile app.
Confirm you are signed in to Google Workspace and have access to Gmail, Drive, and other Workspace applications.
If you use the Test SAML login option in Google Admin Console, note that this test utility may not work correctly because it does not go through the full SP-initiated flow. Test by logging in directly from the Google sign-in page instead.
Attribute mappings
Source (1Kosmos) | Target (Google) | Description |
|---|---|---|
user.email | Primary Email / NameID | Must match the user's Google Workspace primary email address |
user.firstName | firstName | User first name; matches the Google directory attribute |
user.lastName | lastName | User last name; matches the Google directory attribute |
Integration notes
Google Workspace's SSO profile system allows SSO to be enabled for specific organizational units while leaving other units unaffected. This makes phased rollouts straightforward: start with a test OU, validate the 1Kosmos SSO flow, then expand the profile assignment to the full organization.
Google's Super Administrators have a separate SSO bypass by default, which means super admins continue to use their Google password for admin console access even when SSO is enforced for regular users. This is a Google security control and is not configurable through the SAML SSO profile.
For GCP console access, users whose accounts are managed through Google Workspace will automatically use the 1Kosmos SSO flow when accessing the GCP console from a browser, since GCP authentication is handled through the same Google account.
