Google Workspace

This tutorial show you how to integrate Google Workspace as the identity management provider for your FormKiQ installation.

We will be:

• Configuring a Web and mobile apps in Google Workspace

• Adding an Identify Provider into Amazon Cognito

What you’ll need

• Access to a FormKiQ Advanced or Enterprise installation, including administrative access

• Administrative access to a Google Workspace

Pre-requisite

You will need these specific configuration values:

• CognitoUserPoolId

• Console URL

• Cognito domain

The CognitoUserPoolId and Console URL can be found in the Outputs tab of your FormKiQ CloudFormation installation

The Cognito domain can be found by clicking on the Cognito User Pool found on the Cognito Console.

Google Workspace

The next step is to create an Web and mobile apps in Google Workspace. This application will be connected to Amazon Cognito and will provide authentication for the users.

Add Web and mobile apps

To configure the Web and mobile apps:

• Login into the Google Workspace and select the Web and Mobile Apps service

• Select "Add App" from the menu and click Add custom SAML app

Single Sign-On configuration

Now configure the SAML application by entering an Application name, description and logo.

Once the single sign-on is created, you will need to fill in the ACS URL and the Entity ID.

The ACS URL is: <Your Cognito Domain>/saml2/idpresponse, for example:

https://formkiq-enterprise-dev-1111111111111.auth.us-east-2.amazoncognito.com/saml2/idpresponse

The format of the Identifier (Entity ID) is:

urn:amazon:cognito:sp:<CognitoUserPoolId>

eg: urn:amazon:cognito:sp:us-east-2_MEhz4EzAZ

Setup the Primary email with the App attribute of

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Under the group membership select all the Group google you want to be part of the access token and set the App attribute to be:

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

The app is created but User access is OFF for everyone. Click the User access to enable. Once the User access is enabled, make sure to Download Metadata, this file will be needed when setting up the Identity Provider in Cognito.

Amazon Cognito

Now, we will need to configure Amazon Cognito to connect to Google Workspace.

Add Identity Provider

We need to add Google Workspace as an Identify Provider in Amazon Cognito.

Open the AWS Console and Launch the CloudShell service.

Once the CloudShell command prompt opens, use the AWS CLI to add a custom attribute. This attribute will contain the group claims attribute.

aws cognito-idp add-custom-attributes \
--user-pool-id <CognitoUserPoolId> \
--custom-attributes Name=groups,AttributeDataType="String"

• Visit the Amazon Cognito console
• Select the User Pool, and then the Social and external providers link
• Click the Add identity provider
• Select the SAML Identity provider

Give the provider a name, such as googleidp.

Upload the Metadata document you downloaded from Google Workspace.

Configure the SAML attributes.

For the email attribute, set the SAML attribute to

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

For the custom:groups attribute, set the SAML attribute to

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Cognito Managed login

You now need to configure Amazon Managed login. Amazon Cognito Managed login provides a URL connection between Amazon Cognito and Microsoft Entra ID.

To configure Cognito Managed login, see Amazon Managed Login tutorial.

Summary

And there you have it! We have shown how easy it is to use Google Workspace as your authentication provider.

This is just the tip of the iceberg when it comes to working with the FormKiQ APIs.

If you have any questions, reach out to us on our https://github.com/formkiq/formkiq-core or https://formkiq.com.