This documentation will guide you through setting up Tresorit SSO with Google. You’ll have to create and configure a new OAuth Client on the Google Cloud Platform Admin UI under APIs and services. During this configuration, you will acquire an ID that you’ll have to set in Tresorit’s Admin Center. You also have to enable Google Drive API. Once you have the IDs, you can set up the policy groups and users and enable SSO policy for them, as a last step.
We implemented our support for Google SSO with the help of the Google Drive API. We used the built-in capability of the API to store application-specific data in a special folder. This folder is only accessible by the given application and its contents are hidden from the user and from other Drive apps.
For more info: https://developers.google.com/drive/api/v3/appdata
How to setup SSO for Tresorit
Create a New Google Cloud project
As a first step you need to create a Google Cloud project in Google Cloud Console. Here you can find the official 5-step tutorial for this: https://developers.google.com/workspace/guides/create-project
Enable Google Drive access to this client
The next step is to enable Google Drive API in your project. To perform that choose Library under the APIs and services and search for Google Drive and click on Google Drive. Alternatively follow this link: https://console.cloud.google.com/apis/library/drive.googleapis.com
Click Enable.
Configure OAuth consent screen
You need to set up the OAuth consent screen otherwise you won’t be allowed to create credentials in this project.
Choose OAuth consent screen under APIs and Services and select Internal as User Type then click CREATE.
As an App name we recommend to use Tresorit. As User support email you should add an address where your users can reach your IT Admin Team in case they have any questions or technical difficulties.
Add the following Authorised domains:
- tresorit.com
- tresor.it
As Developer contact information you should add an address where Google can notify you about any changes to your project.
After that you can click SAVE AND CONTINUE.
On the Scopes page you should click on ADD OR REMOVE SCOPES and add these URLs to the field under MANUALLY ADD SCOPES
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
- https://www.googleapis.com/auth/drive.appdata
- openid
Click UPDATE
Now you can click SAVE AND CONTINUE to view the Summary.
After that you can click on BACK TO DASHBOARD.
Create credentials in Google Cloud Platform
As a next step you need to create a new credential in the previously created project.
Choose Credentials under the APIs and Services click on CREATE CREDENTIALS and choose OAuth client ID.
The Application type of this new credential should be Web application.
Enter a Name for your app (such as Tresorit).
Add the following as URI for Authorised Javascript origins:
Add the following Authorised redirect URIs:
Save the settings.
Setting up SSO in Tresorit’s Admin Center
Step 1. On the Settings tab
On the Settings tab, make sure that Advanced Control is enabled. Then click Enable SSO under the Single Sign-On section.
A window will come up, prompting you to accept Tresorit's SSO specific Terms.
Once you accepted the Terms, select Google Workspace and paste in the previously acquired ID.
You might need to enter your password again if your session has expired. If you’re successful, a gentle notification should appear.
Step 2. On the Policies tab
Under the Policies tab, you can either create a new policy or edit an existing one. Set the Single Sign-On policy to Enabled, so the users with that policy will have to use the configured Google server for signing in. Don’t forget to Save the changes to your policy.
The 2-Step Verification policy will be turned off for this group, as in case of SSO, this feature is handled by Google. Your users will have to use 2-Step Verification via their configured method in their Google profile.
Using SSO in Tresorit
Activation
For existing users in the policy group, a migration dialog will appear in the Tresorit applications. They will have to confirm their current password before being redirected to the company login page. After they log in there as well, their Tresorit password will no longer be valid, and they’ll only be able to sign in through the SSO option.
In case of the subscription owner, the Tresorit password remains, because it is still required for Advanced Control functionality.
Deactivation
When you disable the SSO policy for a user, they will be required to set a password again. In some cases, SSO authentication might not be available, so this process includes an email confirmation before letting them set their new password.
Sign up without an invitation
You can also verify that certain domains are in your control. In such cases, the new users in your company can perform their registration with SSO right away, and they won’t need to click on the invitation link. This provides a user friendly first sign-in experience. Learn how to verify your domain via this article.
Still have questions left? Drop us a line