Articles in this section

How to setup SSO for Google in Tresorit

Avatar
Ferenc Margl
Updated

This documentation will guide you through setting up Tresorit SSO with Google. You’ll have to create and configure a new OAuth Client on the Google Cloud Platform Admin UI under APIs and services. During this configuration, you will acquire an ID that you’ll have to set in Tresorit’s Admin Center. You also have to enable Google Drive API. Once you have the IDs, you can set up the policy groups and users and enable SSO policy for them, as a last step.

We implemented our support for Google SSO with the help of the Google Drive API. We used the built-in capability of the API to store application-specific data in a special folder. This folder is only accessible by the given application and its contents are hidden from the user and from other Drive apps.

For more info: https://developers.google.com/drive/api/v3/appdata

🎓 You might be interested:
Introduction to SSO
Managing SSO users

 

Please note that If you're using SSO, Internet Explorer 11 and all versions of Microsoft Edge until 44.19041 are not supported.

 

How to setup SSO for Tresorit

Create a New Google Cloud project

As a first step you need to create a Google Cloud project in Google Cloud Console. Here you can find the official 5-step tutorial for this: https://developers.google.com/workspace/guides/create-project

 

Enable Google Drive access to this client

The next step is to enable Google Drive API in your project. To perform that choose Library under the APIs and services and search for Google Drive and click on Google Drive. Alternatively follow this link: https://console.cloud.google.com/apis/library/drive.googleapis.com

Click Enable.

 

You need to set up the OAuth consent screen otherwise you won’t be allowed to create credentials in this project.

Choose OAuth consent screen under APIs and Services and select Internal as User Type then click CREATE.

 

As an App name we recommend to use Tresorit. As User support email you should add an address where your users can reach your IT Admin Team in case they have any questions or technical difficulties.

 

Add the following Authorised domains:

  • tresorit.com
  • tresor.it

As Developer contact information you should add an address where Google can notify you about any changes to your project.

After that you can click SAVE AND CONTINUE.

On the Scopes page you should click on ADD OR REMOVE SCOPES and add these URLs to the field under MANUALLY ADD SCOPES

Click UPDATE

 

Now you can click SAVE AND CONTINUE to view the Summary.

 

 

After that you can click on BACK TO DASHBOARD.

 

Create credentials in Google Cloud Platform

As a next step you need to create a new credential in the previously created project.

Choose Credentials under the APIs and Services click on CREATE CREDENTIALS and choose OAuth client ID.

 

The Application type of this new credential should be Web application.

 

 

Enter a Name for your app (such as Tresorit).

Add the following as URI for Authorised Javascript origins:

Add the following Authorised redirect URIs:

 

Save the settings.

 

After you’ve successfully created the OAuth client, you’ll see Your Client ID. Make sure to remember the Client ID, since it will be required later.

Setting up SSO in Tresorit’s Admin Center

Step 1. On the Settings tab

On the Settings tab, make sure that Advanced Control is enabled. Then click Enable SSO under the Single Sign-On section.

 

A window will come up, prompting you to accept Tresorit's SSO specific Terms. 

Once you accepted the Terms, select Google Workspace and paste in the previously acquired ID.

 

You might need to enter your password again if your session has expired. If you’re successful, a gentle notification should appear.

Step 2. On the Policies tab

Under the Policies tab, you can either create a new policy or edit an existing one. Set the Single Sign-On policy to Enabled, so the users with that policy will have to use the configured Google server for signing in. Don’t forget to Save the changes to your policy.

 

The 2-Step Verification policy will be turned off for this group, as in case of SSO, this feature is handled by Google. Your users will have to use 2-Step Verification via their configured method in their Google profile.

Using SSO in Tresorit

Activation

For existing users in the policy group, a migration dialog will appear in the Tresorit applications. They will have to confirm their current password before being redirected to the company login page. After they log in there as well, their Tresorit password will no longer be valid, and they’ll only be able to sign in through the SSO option.

In case of the subscription owner, the Tresorit password remains, because it is still required for Advanced Control functionality.

Deactivation

When you disable the SSO policy for a user, they will be required to set a password again. In some cases, SSO authentication might not be available, so this process includes an email confirmation before letting them set their new password.

Sign up without an invitation

You can also verify that certain domains are in your control. In such cases, the new users in your company can perform their registration with SSO right away, and they won’t need to click on the invitation link. This provides a user friendly first sign-in experience. Learn how to verify your domain via this article.

Still have questions left? Drop us a line

 

Related articles