Google Workspace SAML
This document details configuring Google Workspace SAML for authentication with Dropzone. This is more advanced than using the "Log in with Google" button which is an alternate login option.
Enabling SAML with Google Workspace involves the following steps:
Deciding who should have access to Dropzone
Adding Dropzone Role Attributes To Your Users
Creating a SAML application in Google Workspace
Providing your SAML IDP details to your Dropzone support representative
Updating your SAML application with details from your Dropzone support representative
Deciding who should have access to Dropzone
When you create your SAML application you need to assign it to a Google Workspace Organizational Unit (OU) and/or to one or more Google Groups.
If you do not have an OU or Google Group that contains the users you want having Dropzone access, create it at this time.
Add Dropzone Role Attributes To Your Users
Google Workspace supports per-user attributes - see the Google Custom User Attribute Documentation for details.
You'll need an attribute to hold the user's Dropzone role. You can add this to an exiting "attribute category" or use one you already have.
The role value must be named exactly
Make a new attribute that will hold a user's Dropzone role by following the documentation linked earlier. The name you choose is up to you - we suggest dropzone_role.
If you're a user of gam you could create the schema via
Once it's created you need to update the role attribute to each user who will have access to your Dropzone environment. You can find this in the user's "User Information" tab in https://admin.google.com
Roles are defined on the Team Admin page.
The valid roles values are as follows:
admin
Admin
Full write access; create and update integration configuration; create response automation; manage users
member
Member
Minimal write access; create context memory, add investigation feedback; ask questions of the AI
restricted-read-only
Restricted Read Only
Read-only access; view investigations and dashboards; no ad-hoc chat
You must make sure these values are exact or the user will not be able to log into Dropzone.
If you're a user of gam you could update a user's role like this:
Add the role to all users who will have Dropzone access.
Create a SAML Application in Google Workspace
You may wish to start by reading Google's SAML Documentation
Go to https://admin.google.com
Go to Apps > "Web and mobile apps" in the sidebar
Select "Add app" > "Add custom SAML app"
Provide a name, optional description, and optional application icon
Click Continue
On the IDP Metadata page:
Copy the SSO URL (NOT the Entity ID) and provide to Dropzone
Download the certificate file and provide to Dropzone
Click Continue
On the Service Provider Details page:
In the "ACS URL" field put
https://login.dropzone.ai/samlv2/acsIn the "Entity ID" field put the value that Dropzone provided
If you do not have one yet, put
tbd
Set the "Name ID Format" to
EMAILSet the "Name ID" to "Basic Information > Primary Email"
Click Continue
On the Attributes page, click "ADD MAPPING" three times to create new fields
Set the attributes as follows
Basic Information > First Name
first_name
Basic Information > Last Name
last_name
Dropzone > dropzone_role
dropzone_role
Leave Group membership (optional) blank
Click Finish
Assign The SAML App to Users
Following the instructions at Google's SAML Documentation, assign the new SAML app to an OU and/or one or more Google Groups.
Provide Your SAML IDP Details to Dropzone
Send the values you captured earlier to your Dropzone support representative:
SSO URL
Certificate file
Update Your SAML Application
Dropzone will enable SAML and provide you two values to add to the "Service Provider Details" in your SAML app:
ACS URL
Entity ID
Update these values in your SAML app.
Getting Help
If you have any errors or questions, engage your Dropzone AI support representative.
Last updated
Was this helpful?
