Cloud Identity Engine Getting Started
    : Configure Google as an IdP in the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure a SAML 2.0 Authentication Type
    6. Configure Google as an IdP in the Cloud Identity Engine
    Download PDF

    Cloud Identity Engine Getting Started

    Configure Google as an IdP in the Cloud Identity Engine

    Table of Contents

    Configure Google as an IdP in the Cloud Identity Engine

    1. Prepare to configure Google as an IdP in the Cloud Identity Engine.
      1. If you have not already done so, activate the Cloud Identity Engine app.
      2. In the Cloud Identity Engine app, select AuthenticationSP MetadataDownload SP Metadata and Save the metadata in a secure location.
      3. Log in to the Google Admin Console and select AppsSAML Apps.
      4. Select Add AppAdd custom SAML app.
      5. Enter an App name then Continue to the next step.
      6. Click Download Metadata to Download IdP metadata then Continue to the next step.
      7. Copy the metadata information from the Cloud Identity Engine and enter it in the Google Admin Console as described in the following table then Continue to the next step:
        Copy from Cloud Identity EngineEnter in Google Admin Console
        Copy the Entity ID from the SP Metadata page.Enter it as the Entity ID.
        Copy the Assertion Consumer Service URL.Enter the URL as the ACS URL.
      8. Add mapping to select the Google Directory attributes then specify the corresponding App attributes. Repeat for each attribute you want to use then click Finish when the changes are complete.
      9. View details to specify the users and groups you want to authenticate with Google and enable the app to turn it ON for everyone then Save your changes.
      10. Select DirectoryUsers to specify the users you want to authenticate using Google.
    2. Add Google as an authentication type in the Cloud Identity Engine app.
      1. Select Authentication Types and click Add New Authentication Type.
      2. Set Up a SAML 2.0 authentication type.
      3. Enter a Profile Name.
      4. Select Google as your Identity Provider Vendor.
    3. Select the method you want to use to Add Metadata and Submit the profile.
      • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine.
        1. In the Google Admin Console, select the Cloud Identity Engine app and Download Metadata.
        2. Click Download Metadata then copy the necessary information from Google and enter it in the Cloud Identity Engine app as indicated in the following table:
          Copy or Download from Google Admin ConsoleEnter in Cloud Identity Engine IdP Profile
          Copy the Entity ID.Enter it as the Identity Provider ID.
          Download the Certificate.Click to Upload the certificate from Google.
          Copy the SSO URL.Enter the URL as the Identity Provider SSO URL.
        3. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:
          • HTTP Redirect—Transmit SAML messages through URL parameters.
          • HTTP Post—Transmit SAML messages using base64-encoded HTML.
      • If you want to upload a metadata file, download the metadata file from your IdP management system.
        The Cloud Identity Engine supports metadata file sizes of up to 16 MB.
        1. In the Google Admin Console, select the Cloud Identity Engine app and Download Metadata.
        2. Click Download Metadata and Save the file to a secure location.
        3. In the Cloud Identity Engine app, click Browse files to select the metadata file then Open the metadata file.
      • If you don't want to enter the configuration information now, you can Do it later. This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.
      The Cloud Identity Engine does not currently support the Get URL method for Google.
    4. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    5. To require users to log in using their credentials to reconnect to GlobalProtect, enable Force Authentication.
    6. Test SAML setup to verify the profile configuration.
      This step is necessary to confirm that your firewall and IdP can communicate.
    7. Select the SAML attributes you want the firewall to use for authentication and Submit the IdP profile.
      Select the Username Attribute and optionally, the Usergroup Attribute, Access Domain, User Domain, and Admin Role.

    © 2025 Palo Alto Networks, Inc. All rights reserved.