Google Cloud
Last reviewed: 4 months ago
This guide covers how to configure Google Cloud ↗ as a SAML application in Cloudflare Zero Trust.
Prerequistes
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Google Workspace account
- Cloud Identity Free or Premium ↗ set up in your organization’s Google Cloud account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust ↗, go to Access > Applications.
- Select Add an application > SaaS > Select.
- For Application, select Google Cloud.
- For the authentication protocol, select SAML.
- Select Add application.
- Fill in the following fields:
- Entity ID:
google.com
- Assertion Consumer Service URL:
https://www.google.com/a/<your_domain.com>/acs
- Name ID format: Email
- Entity ID:
- Copy the SSO endpoint, Access Entity ID or Issuer, and Public key.
- Select Save configuration.
- Configure Access policies for the application.
- Select Done.
2. Create a x.509 certificate
- Paste the Public key from application configuration in Cloudflare Zero Trust into a text editor.
- Wrap the certificate in
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
. - Set the file extension as
.crt
and save.
3. Create an SSO provider in Google Cloud
- In your Google Admin console ↗, go to Security > Authentication > SSO with third party IdP.
- Select Third-party SSO profile for your organization > Add SSO Profile.
- Turn on Set up SSO with third-party identity provider.
- Fill in the following information:
- Sign-in page URL: SSO endpoint from application configuration in Cloudflare Zero Trust.
- Sign-out page URL:
https://<team-name>.cloudflareaccess.com/cdn-cgi/access/logout
, where<team-name>
is your Zero Trust team name. - Verification certificate: Upload the
.crt
certificate file from step 2. Create a x.509 certificate.
- (Optional) Turn on Use a domain specific issuer. If you select this option, Google will send an issuer specific to your Google Cloud domain (
google.com/a/<your_domain.com>
instead of the standardgoogle.com
).
4. Test the integration
Open an incognito browser window and go to your Google Cloud URL (https://console.cloud.google.com/a/<your_domain.com>
). Sign in using credentials that do not belong to a super admin account.
Troubleshooting
Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."
If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key.