Use federated authentication with Google Workspace in Apple School Manager
In Apple School Manager, you can link to Google Workspace using federated authentication to allow users to sign in with their Google Workspace user name and password. This involves a two-step process:
1. Configure the federated authentication process. After you have successfully configured federated authentication with Google Workspace, any additional domains you have automatically appear.
2. Test authentication with a single Google Workspace domain account.
If you’re attempting to federate a domain you’ve already verified but another organisation has already federated the identical domain, you must contact that organisation to determine who has the authority to federate the domain. See About domain conflicts.
Google Workspace is the identity provider (IdP) that authenticates the user for Apple School Manager and issues authentication tokens. This authentication supports certificate authentication and two-factor authentication (2FA).
Important: When the Google Workspace connection has expired, federation and syncing user accounts with Google Workspace stops. You must reconnect to Google Workspace to continue using federation and syncing.
Configure the federated authentication process
In Apple School Manager , sign in as a user that has the role of Administrator, Site Manager or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Accounts .
Next to Federated Authentication, select Edit, select Google Workspace, then select Connect.
Select “Sign in with Google,” enter your Google Workspace administrator information, then select Next.
Enter the password for the account, then select Next.
If necessary, review the list of automatically verified domains and any conflicting domains.
Accept the Terms and Conditions, then check the following:
View audit reports for your G Suite domain
View domains related to your customers
See info about users on your domain.
Select Continue, then select Done.
In some cases you may not be able to add your domain. Common reasons are:
The Google Workspace administrator account used doesn’t have permission to add domains.
The username or password from the account in steps 4 or 5 are incorrect.
You or another Google Workspace administrator modified the default attributes.
Turn on federated authentication
If you’re planning to sync with Google Workspace, you must turn on federated authentication before you sync.
In Apple School Manager , sign in as a user that has the role of Administrator, Site Manager or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Accounts .
Select Edit in the Domains section, then turn on federated authentication for the domains that have been successfully added to Apple School Manager.
It may take some time to update all accounts.
Test federated authentication
You can test the federated authentication connection after you’ve performed the following tasks:
You’ve completed a successful connection and verification to your domain.
The check for username conflicts is complete.
The Managed Apple ID default format is updated.
Note: Accounts with the role of Administrator, Site Manager or People Manager can’t sign in using federated authentication; they can only manage the federation process.
In Apple School Manager , sign in as a user that doesn’t have a Staff or Student role.
If the username you signed in with is found, a new screen indicates that you’re signing in with an account in your domain.
Select Continue, enter the password for the user, then select Sign In.
Sign out of Apple School Manager.
Note: Users can’t sign in to iCloud.com unless they first sign in with their Managed Apple ID on another Apple device.