Google Workspace

From the left toolbar, click Getting started.
In the Connect a directory section, click Connect (or Add another Directory).

The IdP Integration wizard opens.
Enter a name for the Integration Title and select Google Workspace.
Click Next.

Integration Type

In this step of the IdP Integration Wizard, you can configure SSO authentication for Infinity Portal administrators and for users of Infinity Portal services (for example: Harmony Connect). This configuration does not affect Infinity Identity user authentication.

Step 2: Configure SSO for Users of Infinity Portal Services

In the Service(s) Integration section, select one of these options:
- No Services - End users of Infinity Portal services cannot authenticate with SSO from the Identity Provider. This is the default configuration.
- All Services - End users can log in with SSO from the Identity Provider to all Check Point services that support SSO.
- Specific Service(s) - From the list of services, select service(s) to allow end users to log into with SSO from the Identity Provider. Available services:
  - Harmony Connect
  - Quantum Gateways
Click Next (or, if you are editing a configuration, Apply) to complete the Integration Type configuration.

Verify your Domain

Note - If for Integration Type you selected Login with a unique URL, the Verify Domain step is not necessary.

Connect to your DNS server.
Copy the DNS Value from the Infinity Portal IdP Integration wizard > Verify Domain step.
On your DNS server, enter the Value as a TXT record.
In the Infinity Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

Check Point makes a DNS query to verify your domain's configuration.
Optional - add more DNS domain servers.

Click Next.

Note - Wait until the DNS record propagates and becomes resolvable.

Allow Connectivity

To configure the Google Workspace settings, you must have administrator permissions. In this step, you create a SAML Application in the Google Workspace Portal.

Navigate to the Google Workspace Admin console.
From the side toolbar, select Apps > Web and mobile apps.
In the top toolbar, select Add app > Add custom SAML app.
On the App details pages, below the App name enter a name and click Continue.
Click Download Metadata and click Continue.
On the Service provider details page, enter the ACS URL and Entity ID from the Infinity Portal. For the ACS URL, use the Reply URL from the IdP Integration page, as shown in this screenshot:
Keep Name ID format as Unspecified and Name ID as Basic Information > Primary Email.

OPTIONAL - Enable IdP-Initiated flow

IdP Initiated lets you connect directly to the Infinity Portal from your Google Workspace Admin Console. To do this, you must create an Infinity Portal app card in your Google Workspace Admin Console. See the Google Workspace documentation for Add-ons.

Step 1: In Infinity Portal, enable IdP Initiated flow:

In the Infinity Portal > IdP Integration Allow Connectivity step, select the checkbox Enable IDP initiated flow.

The Start URL field appears.

Step 2: In your Google Workspace account, configure the IdP Settings:

Navigate to your Google Workspace Admin Console.
From the left toolbar click Apps > Web and mobile Apps.

The Web and mobile apps menu opens.
From the Web and mobile apps menu, open the application object for the SAML connection to Infinity Portal.
Expand the Service provider details menu.
In the Start URL field, enter the Start URL from Infinity Portal.
Click Save.

Important - Before you can test the connectivity between Google Workspace and Infinity Portal, you must complete all of the IdP integration steps in the Infinity Portal.

Configure the Attributes

In this step, you configure the attribute mapping and group membership in Google Workspace.

Go to Google Workspace > Attribute mapping > Attributes.
Below Google directory attributes, click Add Mapping to add an attribute field.

Enter these corresponding attributes from the Infinity Portal IdP Integration page.

Google Directory attributes	App attributes
Primary email	email
First name	firstName
Last name	lastName

In Group membership, enter these details:

Google Groups	App attribute
Enter the group(s) name	groups

Click Finish.
On the Infinity Portal IdP Integration page, click Next.

Configure Metadata

If you did not already download the metadata file, then go to your Google Workspace account, go to Apps > Web and mobile apps, and open the applicable application.
In the application page that opens, click Download Metadata.
In the Download metadata window, click Download Metadata.
To exit the window, click Close.
On the Infinity Portal IdP Integration page, click Select File and upload the Google Workspace metadata file.
Optional: Run test - This test makes sure the SAML connection between the Infinity Portal and Google Workspace is configured correctly.
Click Next.

You can select to continue and configure Set Directory Integration (see Set Directory Integration). Or to finish select the checkbox I want to skip this step and use this IdP for SSO authentication only and then click Next.

Directory Integration

Directory Integration gets information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section.

Directory Integration does not apply to Users and User Groups in the Infinity Portal.

Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration.

To integrate Google Workspace with Infinity Identity, you must configure Directory Integration.

Directory Integration allows Check Point services to query for any change in Google Workspace users and groups. The Infinity Portal pulls all users and groups from Google Workspace.

Prerequisites

A Google Workspace with Super Administrator permissions.

Create a Google Cloud Project.

In the Google Cloud console, create a New Project and name it dss-sync.
From the menu, select APIs and services > Library and enable these APIs:
- Admin SDK API
- Cloud Identity

Create the Service Account

From the menu, select IAM and admin > Service Accounts > and select Create Service Account.
1. In the Service account details, enter a service account name (such as dss-sync) and then click Create and Continue.
2. Below Grant this service account access to project, for Quick access select Basic, and for Roles select Owner.
3. Below Grant users access to this service account, click Done.
On the Service accounts page that opens, click the dss-sync project.
On the Service details page, click Advanced settings.
1. Save the Client ID. Go to Advanced settings > Domain wide delegation.
2. From the menu, click Keys > Add Key > Create a new key.
3. For the Key type, select JSON.
4. Click Create. This downloads a JSON credential file. Save the file.
5. Close the window.

Configure Domain-Wide Access

Sign in to the Google Admin console with a super admin account.
Go to Security > Access and data control > API controls.
Below Domain wide delegation, click Manage Domain Wide Delegation.

Click Add new.

Enter the Service Account In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server.'s Client ID from "Create Service Account", step 3.

Enter these scopes:

Copy

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly,
https://www.googleapis.com/auth/cloud-identity.devices.readonly

Click Authorize.

Confirm Identity Provider Integration

Review the details of the SSO configuration and click Submit.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups.