# Signing in with Google Workspace {% hint style="success" %} This document details configuring Google Workspace SAML for authentication with Dropzone. This is more advanced than using the "Log in with Google" button which is an alternate login option. {% endhint %} Enabling SAML with Google Workspace involves the following steps: * Deciding who should have access to Dropzone * Adding Dropzone Role Attributes To Your Users * Creating a SAML application in Google Workspace * Providing your SAML IDP details to your Dropzone support representative * Updating your SAML application with details from your Dropzone support representative ### Deciding who should have access to Dropzone When you create your SAML application you need to assign it to a Google Workspace Organizational Unit (OU) and/or to one or more Google Groups. If you do not have an OU or Google Group that contains the users you want having Dropzone access, create it at this time. ### Add Dropzone Role Attributes To Your Users Google Workspace supports per-user attributes - see the [Google Custom User Attribute Documentation](https://support.google.com/a/answer/6208725?hl=en#zippy=%2Cadd-a-new-custom-attribute) for details. You'll need an attribute to hold the user's Dropzone role. You can add this to an exiting "attribute category" or use one you already have. The role value must be named exactly Make a new attribute that will hold a user's Dropzone role by following the documentation linked earlier. The name you choose is up to you - we suggest `dropzone_role`. {% hint style="info" %} If you're a user of [gam](https://github.com/GAM-team/GAM) you could create the schema via ``` $ gam create schema dropzone field dropzone_role type string ``` {% endhint %} Once it's created you need to update the role attribute to each user who will have access to your Dropzone environment. You can find this in the user's "User Information" tab in Roles are defined on the [Team Admin page](/dropzone-101/getting-started.md). The valid roles values are as follows: | role value | Role Name | Permissions | | ---------------------- | -------------------- | -------------------------------------------------------------------------------------------------------- | | `admin` | Admin | Full write access; create and update integration configuration; create response automation; manage users | | `member` | Member | Minimal write access; create context memory, add investigation feedback; ask questions of the AI | | `restricted-read-only` | Restricted Read Only | Read-only access; view investigations and dashboards; no ad-hoc chat | {% hint style="warning" %} You must make sure these values are exact or the user will not be able to log into Dropzone. {% endhint %}

Example of setting a user to the `member` Dropzone role

{% hint style="info" %} If you're a user of [gam](https://github.com/GAM-team/GAM) you could update a user's role like this: ``` $ gam update user wendell.bagg dropzone.role member ``` {% endhint %} Add the role to all users who will have Dropzone access. ### Create a SAML Application in Google Workspace You may wish to start by reading [Google's SAML Documentation](https://support.google.com/a/answer/6087519) * Go to * Go to Apps > "Web and mobile apps" in the sidebar * Select "Add app" > "Add custom SAML app" * Provide a name, optional description, and optional application icon * Click Continue

Set Custom App Details

On the IDP Metadata page: * Copy the **SSO URL** (*NOT the Entity ID*) and provide to Dropzone * Download the certificate file and provide to Dropzone * Click Continue

Gather SAML Details for Dropzone

On the Service Provider Details page: * In the "ACS URL" field put `https://login.dropzone.ai/samlv2/acs` * In the "Entity ID" field put the value that Dropzone provided * If you do not have one yet, put `tbd` * Set the "Name ID Format" to `EMAIL` * Set the "Name ID" to "Basic Information > Primary Email" * Click Continue

Set SP details

* On the Attributes page, click "ADD MAPPING" three times to create new fields * Set the attributes as follows | Google Directory Attributes | App Attributes | | ------------------------------ | --------------- | | Basic Information > First Name | `first_name` | | Basic Information > Last Name | `last_name` | | Basic Information > Full Name | `full_name` | | Dropzone > dropzone\_role | `dropzone_role` | * Leave Group membership (optional) blank * Click Finish

Configure Custom Attributes

### Assign The SAML App to Users Following the instructions at [Google's SAML Documentation](https://support.google.com/a/answer/6087519), assign the new SAML app to an OU and/or one or more Google Groups. ### Provide Your SAML IDP Details to Dropzone Send the values you captured earlier to your Dropzone support representative: * SSO URL * Certificate file ### Update Your SAML Application Dropzone will enable SAML and provide you two values to add to the "Service Provider Details" in your SAML app: * ACS URL * Entity ID Update these values in your SAML app. ## Getting Help If you have any errors or questions, engage your Dropzone AI support representative. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/dropzone-101/getting-started/accessing-tenants/managing-users/google-workspace-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.