Teams and business

Configure 1Password Device Trust and Google Workspace

Learn how to implement 1Password Device Trust (Kolide) to secure every device on your team.

With 1Password Device Trust (Kolide) and Google Workspace , you can make sure every device is known, secure, and compliant before it can access company applications, and empower your team to remediate their own device health issues with step-by-step instructions.

With this integration, you can:

  • Import and synchronize your Google Workspace users and groups.
  • Protect the 1Password Device Trust (Kolide) admin dashboard with Google single sign-on (SSO) authentication.
  • Allow your users to sign in to Kolide-protected apps with their Google credentials.

Before you begin

Before you can set up 1Password Device Trust (Kolide) and Google Workspace, you’ll need:

This feature is not currently available to all Kolide customers. To make sure you have access, go to Kolide and select your profile in the top-right corner of the page. If you see Identity Providers in the sidebar, you have access. If you see Identity & Access, contact Kolide support to turn on the feature.

Important

Known limitations

  • This integration currently only supports apps that use SAML. 1Password uses OIDC, so you can’t add 1Password to this integration.
  • You can’t add Google Workspace apps (like Docs, Sheets, Gmail) to this integration because third-party apps can’t change the existing login flow for Google Workspace apps.

These steps were recorded in November 2024 and may have changed since. Refer to the Google Workspace admin documentation  for the most up-to-date steps.

Step 1: Create a Kolide-enabled group in the Google Admin console for testing

To test the implementation and make sure it works the way you want it to, first create a Kolide-enabled group with test users. You can use this test group to give specific people access to Kolide as admins or end users during your testing.

Configure group information

  1. Open two browser windows side-by-side. In one window, sign in to Kolide.
  2. In the second window, sign in to the Google Admin console .
  3. In Kolide, select your profile in the top-right corner of the page, then select Settings and choose Identity Providers in the sidebar.
  4. In Kolide, select the Set Up button for Google, then select Set Up Single Sign On Provider.
  5. In the Google Admin console, select Directory > Groups in the sidebar.
  6. Select Create group.
  7. Fill out the fields, including:
    • Group name: Enter the name “Kolide Enabled”.
    • Group email: Enter the email address you want to use.
    • Group description: Enter a description of the group. For example: “1Password Device Trust (Kolide) Enabled Users”.
  8. Select the check box next to Security.

Configure access settings

You can configure access settings in the way that works best for your team, but we recommend limiting who can join the group. This makes sure the group is small for your initial test:

  1. In the Google Admin console, in the “Who can join the group” section, select Only invited users.
  2. Once you’ve configured the other settings, select Next at the bottom of the page.
  3. Select Create Group at the bottom of the page.

Add people to the group

  1. In the Google Admin console, select Add members to Kolide Enabled.
  2. Select Add members, then in the Find a user or group field, search for your test users and select them.
  3. Choose Add to group.

Step 2: Configure SAML SSO for Kolide

Add Kolide as a custom SAML app within your Google Workspace portal. This allows Kolide to use Google as a single sign-on (SSO) service provider for authenticating users into the Kolide admin or end-user portal, along with any apps you’re managing within Kolide.

Set up the Kolide application for SSO

  1. In the Google Admin console, select Apps > Web and mobile apps.
  2. Select the Add apps dropdown, then select Add custom SAML app.
  3. In the App name field, enter the name “Kolide”.
  4. Optionally, if you’d like to add the Kolide logo to your app, download the Kolide logo. Then select the camera icon and upload the file.
  5. Select Continue at the bottom of the page.
  6. Copy the SSO URL from the Google Admin console and paste it into the Provider SSO URL field in Kolide.
  7. Select the copy icon by the certificate in the Google Admin console and paste it into the Provider X.509 Certificate box in Kolide.
  8. In the Google Admin console, select Continue.
  9. In Kolide, copy the Kolide ACS URL and paste it into the ACS URL field in the Google Admin console.
  10. In Kolide, copy the Kolide Entity ID, then paste it into the Entity ID field in the Google Admin console.
  11. In the Google Admin console, select Continue, then select Finish.
  12. In Kolide, select Save Settings.

Set up user access

  1. In the Google Admin console, select the User access dropdown.
  2. Select the Groups dropdown.
  3. Search for the Kolide Enabled group and select it.
  4. Select the check box next to On for the Service status, then select Save.

Step 3: Configure provisioning for Kolide

Import and synchronize your organization’s Google Workspace users and groups into Kolide.

Provision users

  1. In Kolide, select Set Up User Provisioning.
  2. Select Log in with Google Workspace.
  3. Choose your admin account and sign in.

    You need to use an account that has super administrator permissions.

  4. Under “Select what Kolide can access”, select the check box next to Select all.
  5. On the “User Provisioning” pop-up, select the check box next to Import groups.
  6. In Kolide, select the vertical ellipsis button, then select Activate.
  7. In Kolide, select the vertical ellipsis button on the Google Workspace card under Identity Providers, then choose Make Primary.
  8. To make sure that single sign-on and user provisioning are working correctly, in a new private browser window, go to https://app.kolide.com and sign in.

    A private browser window makes sure the existing session is not cached.

  9. Sign in to Kolide with your admin account.
  10. Sign in with your Google credentials for your admin account.
  11. After you’ve successfully signed in, close the private browser window.

Turn on Kolide

Protecting the Kolide admin dashboard with Kolide itself makes sure that your dashboard is more secure. Kolide checks the compliance of the device and blocks access if the device is non-compliant, allowing you to test Kolide capabilities and features before you add more apps to Kolide.

  1. In Kolide under Identity Providers, select Google Workspace.
  2. Select Single Sign-On Provider.
  3. In the Device Trust section, select the check box next to Protect Kolide Admin Dashboard with Device Trust.
  4. Select Update Settings.

Step 4: Test Kolide

To test the Kolide sign-in process from the perspective of your team:

  1. Sign in as a user that belongs to your Kolide Enabled group.
  2. As an optional step if your team uses an MDM, pre-install the Kolide agent to simulate pushing the agent out to your devices. This is optional because the user will be prompted to install the agent if it is not present.
  3. Go to https://app.kolide.com and sign in with your Google credentials.
  4. You’re redirected to the “Kolide is Verifying Your Device” screen, which shows you that the Kolide agent is installed.

    If you downloaded the Kolide agent in step 2, the device is registered to you and you’re signed in to the Kolide dashboard.

  5. If you didn’t already download the Kolide agent, you’re prompted to download the agent. Download the installer for your operating system and follow the on-screen instructions through to the success message.
  6. In the task bar, you’ll see a Kolide icon that appears for about 60 seconds.
  7. In a new private browser window, go to https://app.kolide.com.

    A private browser window makes sure the existing session is not cached.

  8. Sign in with your Google Workspace credentials using your username and password.
  9. You’re redirected to the “Kolide is Verifying Your Device” screen, which shows you that the Kolide agent is installed.

If the agent was pre-installed on the end-user device, it will register the device. If the agent is not installed, the user will be prompted to download and install the agent before the new device can be registered.

To see how Kolide handles failed checks, first set up device health checks for your team. Then:

  1. In Kolide, choose the Devices tab and select your device to see if there are any failing checks.
  2. Select Details on a check that is straightforward to fix, like File Extensions Are Not Visible in Finder.
  3. Select Actions > Edit Check Settings.
  4. In the Remediation Strategy section, select Configure.
  5. Choose Block Immediately and select Save.
  6. In a new private browser window, go to https://app.kolide.com.
  7. Sign in with your Google Workspace credentials using your username and password. However, don’t enter an authenticator code.
  8. Select Approve with Kolide to redirect to Kolide. You should be blocked by Kolide based on the check you changed earlier.
  9. Select Fix this issue, which opens a new table that shows you how to fix the issue.
  10. Fix the issue, then return to the Kolide window and select I’ve fixed it. Recheck now.

Kolide will run a real-time check to validate that the issue has been fixed before completing the sign-in flow.

As part of future testing, continue to add new users to the Kolide Enabled group and have users test the sign-in flow.

Step 5: Add apps to Kolide

Step 1: Add an app

After you’ve configured and tested Kolide and Google Workspace, add Device Trust-protected apps with Kolide’s App Catalog, or add a custom app if you can’t find your app in the catalog.

Add an app from the App Catalog

  1. In Kolide, select the Apps tab.
  2. Select + Add Application.
  3. Search or scroll to find the app you want to add and select it.
  4. Optionally, you can edit the name or description of the app.
  5. Select Next Step.

Add a custom app

  1. In Kolide, select the Apps tab.
  2. Select + Add Application.
  3. Select Add Custom App.
  4. Enter the name of the app. Optionally, you can add a description of the app.
  5. Select Next Step.

Step 2: Configure app settings

To connect your app to Kolide, you’ll need to copy and paste configuration details between the two. If you’re adding an app from the App Catalog, you can select the Docs button to learn where to find your app’s configuration details. If you’re adding a custom app, check your app’s documentation. Configuration setting names can vary depending on the app.

Copy and paste your app’s configuration details

  1. Copy the Entity ID from your app and paste it into the Entity ID field in Kolide.
  2. Copy the ACS URL from your app and paste it into the ACS URL field in Kolide.
  3. If the Audience URI is the same as the Entity ID, leave the Audience URI field blank. If the Audience URI field is different from the Entity ID, copy the Audience URI from your app and paste it into the Audience URI field in Kolide.
  4. Copy the Response Host (name of the service provider) and paste it into the Response Host field.
  5. If your app requires the SAML response to be signed for authentication, then select the checkbox next to “Sign Response Body”. Check your app’s documentation or configuration requirements to determine if this setting is necessary.

Copy and paste Kolide’s configuration details

  1. Copy the Entity ID (Issuer) in Kolide and paste it into the Entity ID (Issuer) field in your app.
  2. Copy the Sign On URL in Kolide and paste it into the Sign On URL field in your app.
  3. Copy the Metadata URL in Kolide and paste it into the Metadata URL field in your app.
  4. Copy the Signing Certificate in Kolide and paste it into the Signing Certificate field in your app.

Optional app settings

If your app allows signing AuthnRequests or requires sending information like Name ID Format, Single Sign-On URL, and Logout URL, you can add those to the optional app settings fields.

Get help

To get help with Kolide, contact Kolide Support.

To get help with 1Password Business, contact 1Password Support.


Published: