Passport Login (MFA)
      Back to home
      1. Help Center
      2. SSO
      3. Passport Login (MFA)

      School Passport as MFA for Google (Passport Login)

      Learn how to integrate School Passport MFA with Google by configuring your Google Workspace 

      In this article

      Requirements

      Activate School Passport MFA

      Request us with feature activation

      Perform setup in Google Workspace

      - Configure organization's SSO profile

      - Configure an individual third-party SSO profile

      - Assign an individual SSO profile to user groups/OUs

      Send us individual SSO profile details

      Test SSO configuration

      School Passports provide an effective MFA solution (Passport Login) for educational institutions using Google Workspace, as an additional security layer beyond passwords. Users authenticate by entering their emails and then using their School Passport MFA factors, which could be a physical ID card or face recognition. This dual-layer authentication provides additional protection against unauthorized access, even if passwords are compromised.

      Requirements

      • Primary District Admin permissions.
      • Google Workspace subscription for Enterprise, Business, or Education.
      • To use Google SSO, your Google account must be associated with a Google Workspace organization.

      Activate School Passport MFA

      The first step is to enable and customize the Passport Login feature. For detailed instructions, see Passport Login instructions.

      1. Navigate to Connect > Administration > Login Methods > Passport Login.
      2. Turn on the Activate School Passport Login toggle.
      3. Set up authentication factors. These factors will be utilized when a user attempts to sign in.
      4. Click Save.

      Request us with feature activation

      To enable School Passport MFA for Google, please reach out to our Support Team for assistance. Support Agent will set up the necessary SAML connector for your needs and provide you with the Sign-in, Sign-out URLs and IDP entity ID needed to create an SSO profile in Google Workspace, based on your MFA settings. Support Agent will also send you detailed instructions to help you through the process.

      Perform setup in Google Workspace

      The first step is configuring Google Workspace to work with School Passport. This involves creating an SSO profile and assigning it to the appropriate organizational units (OUs)  within your Google Workspace environment.

      (Optional) Configure the organization's SSO profile

      This configuration allows SSO for all Google Workspace users, excluding super admins. All users will be directed to School Passport for authentication. For more information, see Configure the SSO profile for your organization.

      1. Sign in to the Google Admin portal using your Google administrator account.
      2. Go to Security > Authentication > SSO with third Party IDP > Third-party SSO profile for your organization and click Add SSO Profile.

      3. Enter the following details:

        • Sign-in page URL: Enter the https://sso.gg4l.com/saml2/Redirect/SSO.
        • Sign-out page URL: Enter the https://sso.gg4l.com/auth/saml/SingleLogout.
        • Upload certificate: Browse to and select the certificate.
        • (Optional) Change password URL: Enter the URL that users will use to reset their passwords.

      4. Click Save.

      Configure an individual third-party SSO profile

      This configuration allows SSO for specific Google Workspace users, excluding super admins. For more information, see create a SAML SSO profile.

      1. Sign in to the Google Admin portal using your Google administrator account.
      2. Go to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles and click Add SAML Profile.

      3. Enter the following details:

        • SSO Profile Name: Enter a name for the profile.
        • IDP entity ID: Enter the ID provided earlier by Support team.
        • Sign-in page URL and Sign-out page URL: Enter the URLs provided earlier by Support team.
        • Change password URL: Leave this field empty.
        • Upload certificate: Leave this field empty for now. We will set up and send the verification certificate after creating the SSO connector.
      4. Click Save.

      Assign an individual SSO profile to user groups/OUs

      If you want to customize authentication for some of your users, you can move them into an OU or group. Then, manage SSO settings for the OU or group so that those users are authenticated by Google rather than using School Passport. For more information, see Decide which users should use SSO.

      1. Sign in to the Google Admin portal using your Google administrator account.
      2. Go to Security > Authentication > SSO with third Party IDP > Manage SSO profile assignments and click Manage. If you are assigning the SSO profile for the first time,  click Get started.
      3. On the left, select the OU or group that you want to assign the SSO profile.
      4. On the SSO Profile assignment, select Another SSO profile to assign another IdP to the OU/group, and then select the SSO profile from the dropdown list.
      5. Click Save.

      Send us individual SSO profile details

      After setting up SSO profiles, please send the Entity ID and ACS URL of your individual SSO profiles to our support team. This information helps us complete the School Passport setup by linking it correctly with your Google Workspace. Get these IDs from Google Workspace as follows:

      1. Sign in to the Google Admin portal using your Google administrator account.
      2. Go to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles.
      3. Choose an individual SSO profile.
      4. Copy Entity ID and ACS URL.

      5. Email us with these IDs. Our support team will inform you when the configuration is complete.

        Add a verification certificate to your SSO profile

        Our support team will inform you when the configuration is complete and send you a verification certificate. 

        1. Go to Security > Authentication > SSO with third Party IDP > Third-party SSO profiles.
        2. Choose an individual SSO profile.
        3. In the IDP details, click Edit IDP Details.
        4. Upload obtained certificate.
        5. Click Save.

        Test SSO configuration

        Before deploying the SSO configuration to all users, it's essential to test it carefully to ensure users can sign in to Google via School Passport without errors. 

        1. In Google Workspace, assign the individual SSO profile for a test user group/OU to check for any issues.
        2. To test SSO, open a new Incognito tab and open the https://accounts.google.com.
        3. Enter the test user email and click Next.  
        4. You will be redirected to the authentication method you set up in the Passport Login. For example, if you configured QR Code, you will need to complete this step.
          Sign in with Badges
        5. After completing the first factor of authentication, proceed with the second factor as required. For example, if you configured Face ID, you will need to complete this step.
          Face ID_setup-3
        6. Verify that you can successfully log in to Google Workspace.