Product DocumentationVersion 9.1+ Documentation
HYPR User GuidePostman APILegacy WFALegacy SDK

Integrating with Google Workspace

HYPR Control Center Standard: Integrations

Integrating HYPR with Google Workspace lets you access your organization’s Google applications using HYPR passwordless authentication instead of the standard username + password login.

Getting the HYPR Google integration up and running requires the following basic steps:

  1. Understand how the Google login process changes for end users after you integrate with HYPR. See What Will Happen in Google?
  2. Configure the Google side of the integration. See Setting Up Google.
  3. Configure the HYPR side of the integration. See Connecting Google to HYPR.

The following HYPR Integration common tasks are explained on the Integrations main page.

What Will Happen in Google?

Login Flow

Once you activate the HYPR Google integration, users will experience a different Google login flow depending on whether they’re enrolled or non-enrolled.

Enrolled Users
Users who have been successfully enrolled via the HYPR Control Center will no longer need to provide a password to login to Google. After providing their username on the Google sign in screen, they’ll be redirected to the HYPR passwordless authorization flow. Essentially, HYPR intercepts the default Google login process and replaces the password step with passwordless access.

487

Non-enrolled Users
Users who have not been enrolled via the HYPR Control Center will be prompted to enter their password to authenticate as usual.

449

Behind the Scenes

Once you create the integration, HYPR will handle the back-end configuration in Google for you.

Configuring SSO for a Third-party IdP
When you create the integration, HYPR will add automatically add the necessary SSO with third-party IdP settings in Google. You can view the settings under Security > Authentication in the Google Admin console.

Exclusion Group Membership
Users who haven’t registered a device with HYPR before you activate the HYPR Google integration will automatically be added to an β€œexclusion” group that you’ll create as part of the setup process (see Setting Up Google). They’ll be automatically removed from the exclusion group as soon as they register a device.

What You'll Need

HYPR Control Center Account
Since you’re setting up the HYPR Google integration through the HYPR Control Center, you should have already registered for an account, paired your mobile device with HYPR, and used your new passwordless login to access the Control Center. If this isn’t the case, please contact us at [email protected] and we’ll help you out.

Google Workspace Account
You must already have Google Workspace set up and active for your organization before you start the integration. Most of the HYPR Google integration is automated but you’ll need to login to Google Workspace with an admin account in order to complete the process.

πŸ“˜

Naming Convention

Although not required, it’s easier to set up the integration if your HYPR Control Center username and your Google account name are the same email address.

Setting Up Google

In order to preserve the username + password login flow for any users who haven’t yet registered a device for passwordless authentication, the HYPR Google integration makes use of Google’s group-level SSO settings to exempt non-enrolled users. You’ll need to manually add an exclusion group for HYPR via the Google Admin console, then provide the name of the group as part of the integration setup process in the Control Center. (See the Google documentation if you’d like to learn more about group-level SSO settings.)

When you activate the HYPR Google integration, all non-enrolled users will automatically be added to the exclusion group so they can continue to login to Google directly. When they subsequently register, HYPR will remove them from the exclusion group.

Creating an Exclusion Group

  1. In the Google Admin console, go to Directory > Groups and click Create Group.
669
  1. On the Group information screen, set the Name as appropriate. Make a note of the name so you can enter it on the setup screen in the HYPR Control Center when you create the integration (see Connecting Google to HYPR below).

Add a description and group email as appropriate, then click NEXT.

591
  1. You can leave the default values on the Group settings screen then click CREATE GROUP.
612
  1. If you want to exclude any individual users from using HYPR passwordless login, you can add them to the group now.
536

πŸ“˜

NOTE

HYPR will automatically put all non-enrolled users into the group when you activate the integration, so there’s no need to add any members at this point.

  1. Click DONE to return to the Groups screen.
  2. Go to the Security > Authentication > SSO with third party IdPs screen, locate your exclusion group (ExcludeFromHYPR in this example), and set SSO profile assignment to None.
663
  1. Click SAVE when done.

πŸ“˜

Patience

It can take up to 24 hours for this change to propagate in Google. You can continue to enroll users in the meantime, but bear in mind that activating the integration before the SSO profile assignment takes effect will effectively prevent any non-enrolled users from logging in.

Connecting Google to HYPR

  1. Go to the Integrations screen in the HYPR Control Center and click Add New Integration to show a list of available integration types.
610
  1. Select the Google Workspace Identity Provider integration.
610
  1. To integrate HYPR and Google Workspace, you just need to provide some basic information on the Integrations screen.
2538
FieldValue
Google Workspace Application NameThe name you provide here will be used in three places:

- For the web account name that users will see in the HYPR Mobile App

- For the HYPR Device Manager page where users register their devices

- For internal identification of this integration within the HYPR platform

You can use any name you like, but it’s best to go with something that indicates the purpose of the application. For example:

HYPRPasswordlessGoogleSSO

You can use numbers, spaces, hyphens, and underscores in the name but note that spaces will be stripped from the name used to internally identify the integration within the HYPR platform. The namespace is limited to 23 characters.
Google Workspace DomainThe domain name for your Google Workspace account, in the following format:

mydomain.com

Note that the Google Workspace account must already exist and you’ll need to login with administrator access in order to complete the HYPR integration setup process.
Manage Assignments Group NameThe name of the exclusion group used to disable the HYPR passwordless login for non-enrolled users. See Setting Up Google for more information. For example:

ExcludeFromHYPR

The group doesn’t need to already exist in Google but note that you won’t be able to change the name later without removing the integration.
Helpdesk EmailThe helpdesk email address you want to display on the HYPR passwordless login screen for users who experience problems accessing their account.
Helpdesk Phone NumberThe helpdesk phone number you want to display on the HYPR passwordless login screen for users who experience problems accessing their account.
  1. Click Connect to Google to begin. You’ll be redirected to the Google sign-in screen.
277
  1. Sign in to Google using an account that exists in the same Google Workspace domain you provided on the setup screen and that has sufficient privileges. You’ll be redirected to the Google consent screen.
279
  1. If prompted, check the boxes to give HYPR access to all the requested items then click Continue.
  2. If the setup succeeds, you’ll be returned to the HYPR Control Center and will see the Integration Added confirmation dialog.
307
  1. You can optionally now register to use HYPR Google passwordless SSO yourself by clicking Enroll Myself. You’ll be taken to the HYPR Device Manager, where you can register your mobile device.
1872

πŸ“˜

Same Name

The Enroll Myself option is only available if your Google username is the same as your HYPR Control Center username. If not, you can add yourself as a regular user later. See Enrolling Users in the main Integrations article.

Once you’ve registered a device, you’ll see your username in the list of enrolled users.

672

πŸ‘

Enable, Enroll, and Audit

Continue with the HYPR Integrations common UI experience in the Integrations main page to complete Enabling your integration, enrolling users, and monitoring activity with the integration's Audit Trail.

Excluding Users from Passwordless Login

The HYPR Control Center automatically manages membership of the exclusion group in Google to ensure that any users who aren’t enrolled for the HYPR Google integration are able to login using their username + password. However, you can optionally add users to the exclusion group manually via the Google Admin console.

596

🚧

Not So Super

Anyone who’s set up as a Super Admin in Google is automatically excluded from HYPR passwordless login. Also, be aware that any users you add to the exclusion group manually will be removed from the group if you subsequently enroll them.

Frequently Asked Questions

Q: Why does the integration show as unavailable?

A: In rare cases, the API token used by the HYPR Control Center to access your Google Workspace environment can expire. If this happens, a banner will be displayed in the Control Center and the Integration Settings screen will list the status as β€œUNAVAILABLE.”

873

An expired API token DOES NOT affect the ability of your users to login to Google using HYPR. However, you won’t be able to invite new users or manage the integration via the Control Center.

To fix the problem, click the Reconnect to Google Workspace button on the Integration Settings screen. You’ll need to verify your Google account again using the same consent dialog flow as the initial integration setup (see Connecting Google to HYPR, above).

Updated 5 months ago