Google Workspace SAML
Last updated
Was this helpful?
Last updated
Was this helpful?
This document details configuring Google Workspace SAML for authentication with Dropzone. This is more advanced than using the "Log in with Google" button which is an alternate login option.
Enabling SAML with Google Workspace involves the following steps:
Deciding who should have access to Dropzone
Adding Dropzone Role Attributes To Your Users
Creating a SAML application in Google Workspace
Providing your SAML IDP details to your Dropzone support representative
Updating your SAML application with details from your Dropzone support representative
When you create your SAML application you need to assign it to a Google Workspace Organizational Unit (OU) and/or to one or more Google Groups.
If you do not have an OU or Google Group that contains the users you want having Dropzone access, create it at this time.
Google Workspace supports per-user attributes - see the for details.
You'll need an attribute to hold the user's Dropzone role. You can add this to an exiting "attribute category" or use one you already have.
The role value must be named exactly
Make a new attribute that will hold a user's Dropzone role by following the documentation linked earlier. The name you choose is up to you - we suggest dropzone_role.
The valid roles values are as follows:
admin
Admin
Full write access; create and update integration configuration; create response automation; manage users
member
Member
Minimal write access; create context memory, add investigation feedback; ask questions of the AI
restricted-read-only
Restricted Read Only
Read-only access; view investigations and dashboards; no ad-hoc chat
You must make sure these values are exact or the user will not be able to log into Dropzone.
Add the role to all users who will have Dropzone access.
Go to Apps > "Web and mobile apps" in the sidebar
Select "Add app" > "Add custom SAML app"
Provide a name, optional description, and optional application icon
Click Continue
On the IDP Metadata page:
Copy the SSO URL (NOT the Entity ID) and provide to Dropzone
Download the certificate file and provide to Dropzone
Click Continue
On the Service Provider Details page:
In the "ACS URL" field put https://login.dropzone.ai/samlv2/acs
In the "Entity ID" field put the value that Dropzone provided
If you do not have one yet, put tbd
Set the "Name ID Format" to EMAIL
Set the "Name ID" to "Basic Information > Primary Email"
Click Continue
On the Attributes page, click "ADD MAPPING" three times to create new fields
Set the attributes as follows
Basic Information > First Name
first_name
Basic Information > Last Name
last_name
Dropzone > dropzone_role
dropzone_role
Leave Group membership (optional) blank
Click Finish
Send the values you captured earlier to your Dropzone support representative:
SSO URL
Certificate file
Dropzone will enable SAML and provide you two values to add to the "Service Provider Details" in your SAML app:
ACS URL
Entity ID
Update these values in your SAML app.
If you have any errors or questions, engage your Dropzone AI support representative.
Once it's created you need to update the role attribute to each user who will have access to your Dropzone environment. You can find this in the user's "User Information" tab in
Roles are defined on the .
If you're a user of you could update a user's role like this:
You may wish to start by reading
Go to
Following the instructions at , assign the new SAML app to an OU and/or one or more Google Groups.
