Configure RSA Cloud Authentication Service

1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
2. Search for G Suite and click Add to add the connector.
3. On the Basic Information page, choose Cloud.
4. Enter the name for the application in the Name field and click Next Step.                                                                                                 
5. On the Connection Profile page, choose IdP-initiated and enter Connection URL in the following format: https://mail.google.com/a/%DOMAIN% - replace %DOMAIN% with the domain name of your Workspace connected domain.                      
6. In the Identity Provider section, perform the following sub-steps:
   1. Make a note of the Identity Provider URL. It is required during the Workspace configuration.                                                           
   2. Under Identity Provider Entity ID, click the Override option and enter https://www.opensaml.org/IDP in the text field.          
   3. Import a private/public key pair to sign and validate SAML assertions. If a key is unavailable, follow the sub-steps to generate a certificate bundle. Otherwise, continue to the next step.
      1. Click Generate Certificate Bundle in the SAML Response Signature section.
      2. Enter a common name for your Identity Router domain in the Common Name (CN) field.
      3. Click Generate and Download, save the certificate bundle zip file to a secure location, and extract its contents. The zip file contains a private key, a public certificate, and a certificate signing request.                                                                           
7. In the Service Provider section, provide the details in the following format:
   1. In the Assertion Consumer Service (ACS) URL and Audience (Service Provider Entity ID) fields, enter the URL in this format - https://www.google.com/a/%DOMAIN%/acs - replace %DOMAIN% with the domain name of your Workspace connected domain. 
8. In the User Identity section, select Email Address in the Identifier Type drop-down list, select the name of your user Identity Source, and select the Property value as mail.                                                                                                                                                        
9. Click Next Step. 
10. On the User Access page, select the access policy that the identity router will use to determine which users can access the Workspace service provider.
11. Click Next Step.                                                                                                                                                                                            
12. On the Portal Display page, configure the portal display and other settings.
13. Click Save and Finish.                                                                                                                                                                                 
14. Click Publish Changes and wait for the operation to complete.

Configure Google Workspace 

1. Sign in to the Workspace administrator console at https://admin.google.com.
2. Go to Security > Authentication > SSO with third-party IdP.                                                                                                                  
3. On the SSO with third-party IdP page, do the following:
   1. Select the Set up SSO with third-party identity provider check box.                                                                                      
   2. In the Sign-in page URL field, enter the Identity Provider URL obtained from of RSA Cloud Authentication Service configuration. 
   3. In the Sign-out page URL field, enter https://google.com.                                                                                                              
   4. Verification certificate: Upload the public certificate extracted from RSA Cloud Authentication Service configuration.                    
4. Click Save.