Integrating HYPR with Google Workspace lets you access your organization’s Google applications using HYPR passwordless authentication instead of the standard username + password login.
Getting the HYPR Google integration up and running requires the following basic steps:
- Understand how the Google login process changes for end users after you integrate with HYPR. See What Will Happen in Google?
- Configure the Google side of the integration. See Setting Up Google.
- Configure the HYPR side of the integration. See Connecting Google to HYPR.
The following HYPR Integration common tasks are explained on the Integrations main page.
- Choose the methods you want people to be able to use for passwordless authentication; see Allowing the Use of FIDO2 Authenticators
- Enabling the Integration
- Enrolling Users
- Monitor integration-specific user activity with the Audit Trail
Once you activate the HYPR Google integration, users will experience a different Google login flow depending on whether they’re enrolled or non-enrolled.
Users who have been successfully enrolled via the HYPR Control Center will no longer need to provide a password to login to Google. After providing their username on the Google sign in screen, they’ll be redirected to the HYPR passwordless authorization flow. Essentially, HYPR intercepts the default Google login process and replaces the password step with passwordless access.
Users who have not been enrolled via the HYPR Control Center will be prompted to enter their password to authenticate as usual.
Once you create the integration, HYPR will handle the back-end configuration in Google for you.
Configuring SSO for a Third-party IdP
When you create the integration, HYPR will add automatically add the necessary SSO with third-party IdP settings in Google. You can view the settings under Security > Authentication in the Google Admin console.
Exclusion Group Membership
Users who haven’t registered a device with HYPR before you activate the HYPR Google integration will automatically be added to an “exclusion” group that you’ll create as part of the setup process (see Setting Up Google). They’ll be automatically removed from the exclusion group as soon as they register a device.
HYPR Control Center Account
Since you’re setting up the HYPR Google integration through the HYPR Control Center, you should have already registered for an account, paired your mobile device with HYPR, and used your new passwordless login to access the Control Center. If this isn’t the case, please contact us at [email protected] and we’ll help you out.
Google Workspace Account
You must already have Google Workspace set up and active for your organization before you start the integration. Most of the HYPR Google integration is automated but you’ll need to login to Google Workspace with an admin account in order to complete the process.
Although not required, it’s easier to set up the integration if your HYPR Control Center username and your Google account name are the same email address.
In order to preserve the username + password login flow for any users who haven’t yet registered a device for passwordless authentication, the HYPR Google integration makes use of Google’s group-level SSO settings to exempt non-enrolled users. You’ll need to manually add an exclusion group for HYPR via the Google Admin console, then provide the name of the group as part of the integration setup process in the Control Center. (See the Google documentation if you’d like to learn more about group-level SSO settings.)
When you activate the HYPR Google integration, all non-enrolled users will automatically be added to the exclusion group so they can continue to login to Google directly. When they subsequently register, HYPR will remove them from the exclusion group.
- In the Google Admin console, go to Directory > Groups and click Create Group.
- On the Group information screen, set the Name as appropriate. Make a note of the name so you can enter it on the setup screen in the HYPR Control Center when you create the integration (see Connecting Google to HYPR below).
Add a description and group email as appropriate, then click NEXT.
- You can leave the default values on the Group settings screen then click CREATE GROUP.
- If you want to exclude any individual users from using HYPR passwordless login, you can add them to the group now.
HYPR will automatically put all non-enrolled users into the group when you activate the integration, so there’s no need to add any members at this point.
- Click DONE to return to the Groups screen.
- Go to the Security > Authentication > SSO with third party IdPs screen, locate your exclusion group (ExcludeFromHYPR in this example), and set SSO profile assignment to None.
- Click SAVE when done.
It can take up to 24 hours for this change to propagate in Google. You can continue to enroll users in the meantime, but bear in mind that activating the integration before the SSO profile assignment takes effect will effectively prevent any non-enrolled users from logging in.
- Go to the Integrations screen in the HYPR Control Center and click Add New Integration to show a list of available integration types.
- Select the Google Workspace Identity Provider integration.
- To integrate HYPR and Google Workspace, you just need to provide some basic information on the Integrations screen.
|Google Workspace Application Name||The name you provide here will be used in three places:|
- For the web account name that users will see in the HYPR Mobile App
- For the HYPR Device Manager page where users register their devices
- For internal identification of this integration within the HYPR platform
You can use any name you like, but it’s best to go with something that indicates the purpose of the application. For example:
You can use numbers, spaces, hyphens, and underscores in the name but note that spaces will be stripped from the name used to internally identify the integration within the HYPR platform. The namespace is limited to 23 characters.
|Google Workspace Domain||The domain name for your Google Workspace account, in the following format:|
Note that the Google Workspace account must already exist and you’ll need to login with administrator access in order to complete the HYPR integration setup process.
|Manage Assignments Group Name||The name of the exclusion group used to disable the HYPR passwordless login for non-enrolled users. See Setting Up Google for more information. For example:|
The group doesn’t need to already exist in Google but note that you won’t be able to change the name later without removing the integration.
|Helpdesk Email||The helpdesk email address you want to display on the HYPR passwordless login screen for users who experience problems accessing their account.|
|Helpdesk Phone Number||The helpdesk phone number you want to display on the HYPR passwordless login screen for users who experience problems accessing their account.|
- Click Connect to Google to begin. You’ll be redirected to the Google sign-in screen.
- Sign in to Google using an account that exists in the same Google Workspace domain you provided on the setup screen and that has sufficient privileges. You’ll be redirected to the Google consent screen.
- If prompted, check the boxes to give HYPR access to all the requested items then click Continue.
- If the setup succeeds, you’ll be returned to the HYPR Control Center and will see the Integration Added confirmation dialog.
- You can optionally now register to use HYPR Google passwordless SSO yourself by clicking Enroll Myself. You’ll be taken to the HYPR Device Manager, where you can register your mobile device.
The Enroll Myself option is only available if your Google username is the same as your HYPR Control Center username. If not, you can add yourself as a regular user later. See Enrolling Users in the main Integrations article.
Once you’ve registered a device, you’ll see your username in the list of enrolled users.
Enable, Enroll, and Audit
Continue with the HYPR Integrations common UI experience in the Integrations main page to complete Enabling your integration, enrolling users, and monitoring activity with the integration's Audit Trail.
The HYPR Control Center automatically manages membership of the exclusion group in Google to ensure that any users who aren’t enrolled for the HYPR Google integration are able to login using their username + password. However, you can optionally add users to the exclusion group manually via the Google Admin console.
Not So Super
Anyone who’s set up as a Super Admin in Google is automatically excluded from HYPR passwordless login. Also, be aware that any users you add to the exclusion group manually will be removed from the group if you subsequently enroll them.
Q: Why does the integration show as unavailable?
A: In rare cases, the API token used by the HYPR Control Center to access your Google Workspace environment can expire. If this happens, a banner will be displayed in the Control Center and the Integration Settings screen will list the status as “UNAVAILABLE.”
An expired API token DOES NOT affect the ability of your users to login to Google using HYPR. However, you won’t be able to invite new users or manage the integration via the Control Center.
To fix the problem, click the Reconnect to Google Workspace button on the Integration Settings screen. You’ll need to verify your Google account again using the same consent dialog flow as the initial integration setup (see Connecting Google to HYPR, above).
Updated 2 months ago