Skip to main contentSkip to search
Skip to main content

Google Workspace Integration

Connect IronWiFi to Google Workspace (formerly G Suite) to authenticate WiFi users with their Google accounts, automatically sync users and organizational units, and enable seamless social login on your captive portal.

Features

  • User Synchronization - Import users from Google Workspace
  • Group Synchronization - Sync organizational units and groups
  • Google Authentication - Users authenticate with Google credentials
  • Auto-provisioning - Automatically create users on first login

Prerequisites

  • Google Workspace administrator account
  • IronWiFi account with Connector access
  • Google Cloud project (for advanced integrations)

Basic Setup

Enable Google Authentication

For captive portal social login:

  1. Navigate to Captive Portals > your portal
  2. Go to Authentication Providers
  3. Enable Google
  4. Configure OAuth settings (or use IronWiFi's default)

User Synchronization

Sync users from Google Workspace:

  1. Navigate to Connectors > Add Connector
  2. Select Google Apps as the Database Type
  3. Enter your Google Workspace domain (without http or www)
  4. Select the Authentication Source

Create Connector dialog - Google Apps type with domain configuration

  1. Click Click to Authorize to grant IronWiFi access to your Google Workspace

Create Connector with authorization button

  1. Sign in with Google Workspace admin account
  2. Grant requested permissions
  3. Select the Groups or Organization Units to import

Select what to Import - choose Groups or Organization Units

  1. Click Continue to start the initial import

Google Workspace SAML SSO

Configure Google Workspace as a SAML identity provider for your IronWiFi captive portal.

Step 1: Navigate to SAML Apps

  1. Go to Google Admin Console
  2. Search for "SAML" or navigate to Apps > SAML Apps

Google Admin Console with SAML search

Google Admin SAML Apps page showing no configured apps

Step 2: Enable SSO for SAML Application

  1. Click Add a service/App to your domain
  2. Select SETUP MY OWN CUSTOM APP at the bottom of the list

Enable SSO for SAML Application dialog with service list

Step 3: Copy Google IdP Information

  1. Copy the SSO URL and Entity ID
  2. Download the Certificate

Google IdP Information showing SSO URL, Entity ID, and Certificate download

Step 4: Configure IronWiFi SAML Provider

  1. In IronWiFi Console, navigate to your Captive Portal
  2. Add a SAML 2.0 Single Sign-On authentication provider
  3. Paste the SSO URL, Entity ID, and Certificate from Google

IronWiFi Authentication Providers dialog with SAML 2.0 configuration

Step 5: Enter App Information

  1. Back in Google Admin, enter the basic information:
    • Application Name: IronWiFi
    • Description: IronWiFi Service Provider

Google SAML Apps - Basic information for your Custom App

Step 6: View Controller Configuration

Note the SAML ACS URL and Entity ID from your IronWiFi captive portal settings page for the next step.

IronWiFi captive portal settings showing Controller Configuration with SAML URLs

Step 7: Configure Service Provider Details

  1. Enter the ACS URL and Entity ID from IronWiFi
  2. Set Name ID to Basic Information > Primary Email

Google SAML Apps - Service Provider Details with ACS URL and Entity ID

Step 8: Configure Attribute Mapping

  1. Optionally add attribute mappings for email, first name, and last name
  2. Click FINISH

Google SAML Apps - Attribute Mapping configuration

Step 9: Confirm Setup

Verify that the SSO setup is complete and attribute mapping is configured.

Google SAML Apps - SSO setup confirmation for IronWiFi

Step 10: Enable the App

  1. Navigate to Settings for IronWiFi
  2. Click the three-dot menu and select ON for everyone

Google SAML Apps - Settings for IronWiFi with ON/OFF toggle

Google SAML Apps - Turn on IronWiFi for everyone confirmation dialog

Advanced Setup with Custom OAuth

For full control, create your own Google Cloud OAuth app:

Step 1: Create Google Cloud Project

  1. Go to Google Cloud Console
  2. Create a new project
  3. Enable these APIs:
    • Admin SDK API
    • People API
  1. Navigate to APIs & Services > OAuth consent screen
  2. Select Internal (for Workspace users only) or External
  3. Enter app information:
    • App name: IronWiFi
    • User support email
    • Developer contact
  4. Add scopes: 
    • email
    • profile
    • openid

Step 3: Create OAuth Credentials

  1. Go to APIs & Services > Credentials
  2. Click Create Credentials > OAuth client ID
  3. Select Web application
  4. Name: "IronWiFi"
  5. Add Authorized redirect URIs:
    • US West: 
      https://us-west1.ironwifi.com/api/signin/google
    • Europe: 
      https://europe-west2.ironwifi.com/api/signin/google
    • Global: 
      https://splash.ironwifi.com/api/signin/google
  6. Click Create
  7. Copy Client ID and Client Secret

Step 4: Configure IronWiFi

  1. Navigate to connector settings
  2. Enter your Client ID and Client Secret
  3. Save configuration
  4. Test authentication

Synchronization Options

What Gets Synced

GoogleIronWiFi
EmailUsername
NameFull Name
Organizational UnitOrganizational Unit
GroupsGroups
StatusStatus

Sync Settings

SettingDescription
Auto-syncEnable scheduled synchronization
Sync intervalHow often to sync (hourly, daily)
Include suspendedSync suspended Google users
OU filterOnly sync specific organizational units

Manual Sync

Trigger immediate synchronization:

  1. Navigate to the connector
  2. Click Sync Now
  3. Monitor progress
  4. Review results

Authentication Methods

RADIUS with Google Credentials

Enable users to authenticate to WPA-Enterprise using Google credentials.

Authentication Methods:

MethodDescriptionRequirements
PEAP-MSCHAPv2Generated passwordsIronWiFi creates unique passwords per user
EAP-TLSCertificate-basedDeploy certificates via MDM
TTLS-PAPGoogle account passwordsRequires "Less secure app access" enabled

For TTLS-PAP with Google passwords:

  1. Configure Google Connector
  2. Enable RADIUS Authentication
  3. Set Authentication Source to Google
  4. Users must enable "Less secure app access" in their Google account (being deprecated by Google)
warning

Google is deprecating "Less secure app access." For long-term RADIUS authentication, use generated passwords (PEAP) or certificates (EAP-TLS) instead.

For users with 2-Step Verification:

Users with Google 2FA enabled must generate an app-specific password:

  1. Go to Google App Passwords
  2. Select Mail and Windows Computer (or appropriate options)
  3. Click Generate
  4. Use the generated 16-character password for WiFi authentication

Captive Portal with Google Login

Enable Google social login on splash pages:

  1. Enable Google authentication provider
  2. Add Google domains to Walled Garden:

Restricting Access

By Domain

Only allow users from specific domains:

  1. In connector settings
  2. Set Allowed Domains
  3. Enter your domain(s)

By Organizational Unit

Only sync users from specific OUs:

  1. Configure OU filter
  2. Select OUs to include
  3. Save and sync

By Group

Only allow members of specific groups:

  1. Enable group-based filtering
  2. Select allowed groups
  3. Non-members will be denied

Troubleshooting

Authorization Failed

  • Verify admin credentials
  • Check required API scopes
  • Confirm Workspace admin status

Users Not Syncing

  • Check OU filter settings
  • Verify user status in Google
  • Review sync logs for errors

Authentication Failed

  • Verify user exists in IronWiFi
  • Check authentication source setting
  • Confirm Google account is active

Best Practices

  1. Use dedicated admin account for connector authorization
  2. Enable auto-sync to keep users current
  3. Filter by OU to only sync relevant users
  4. Monitor sync logs for failures
  5. Test with single user before bulk operations

Was this page helpful?