cube-js · keydunov · Sep 8, 2023 · Aug 22, 2023
diff --git a/docs/docs-new/pages/product/workspace/sso.mdx b/docs/docs-new/pages/product/workspace/sso.mdx
@@ -32,6 +32,11 @@ Single sign-on works with various identity providers. Check the following guides
 to get tool-specific instructions:
 
 <Grid imageSize={[56, 56]}>
+  <GridItem
+    url="sso/google-workspace"
+    imageUrl="https://static.cube.dev/icons/google-cloud.svg"
+    title="Google Workspace"
+  />
   <GridItem
     url="sso/okta"
     imageUrl="https://static.cube.dev/icons/okta.svg"

diff --git a/docs/docs-new/pages/product/workspace/sso/_meta.js b/docs/docs-new/pages/product/workspace/sso/_meta.js
@@ -1,3 +1,4 @@
 module.exports = {
+  "google-workspace": "Google Workspace",
   "okta": "Okta"
-}
+}
diff --git a/docs/docs-new/pages/product/workspace/sso/google-workspace.mdx b/docs/docs-new/pages/product/workspace/sso/google-workspace.mdx
@@ -0,0 +1,107 @@
+# Google Workspace
+
+Cube Cloud supports authenticating users through Google Workspace, which is
+useful when you want your users to access Cube Cloud using single sign on. This
+guide will walk you through the steps of configuring SAML authentication in Cube
+Cloud with Google Workspace. You **must** be a super administrator in your
+Google Workspace to access the Admin Console and create a SAML integration.
+
+<SuccessBox>
+
+Single sign-on with Google Workspace is available in Cube Cloud on
+[Enterprise](https://cube.dev/pricing) tier.
+[Contact us](https://cube.dev/contact) for details.
+
+</SuccessBox>
+
+## Enable SAML in Cube Cloud
+
+First, we'll enable SAML 2.0 authentication in Cube Cloud. To do this, log in to
+Cube Cloud and
+
+1. Click your username from the top-right corner, then click <Btn>Team &
+   Security</Btn>.
+
+2. On the <Btn>Authentication & SSO</Btn> tab, ensure <Btn>SAML 2.0</Btn> is
+   enabled:
+
+<Screenshot
+  alt="Cube Cloud Team Authentication and SSO tab"
+  src="https://ucarecdn.com/f5ff1413-f37c-4476-afcc-0ff29e87e80a/"
+/>
+
+Take note of the <Btn>Single Sign On URL</Btn> and <Btn>Service Provider Entity
+ID</Btn> values here, as we will need them in the next step when we configure
+the SAML integration in Google Workspace.
+
+## Create a SAML Integration in Google Workspace
+
+Next, we'll create a [SAML app integration for Cube Cloud in Google
+Workspace][google-docs-create-saml-app].
+
+1. Log in to [admin.google.com](https://admin.google.com) as an administrator,
+   then navigate to
+
+   <Btn>Apps → Web and Mobile Apps</Btn> from the left sidebar.
+
+2. Click <Btn>Add App</Btn>, then click <Btn>Add custom SAML app</Btn>:
+
+<Screenshot src="https://ucarecdn.com/5898f666-a2b4-44b5-ae9e-03832d9966bc/" />
+
+3. Enter a name for your application and click <Btn>Next</Btn>. You can
+   optionally add a description and upload a logo for the application, but this
+   is not required. Click <Btn>Continue</Btn> to go to the next screen.
+
+<Screenshot src="https://ucarecdn.com/b8fe1ad6-6f31-42ed-908c-3e1b72a3d2f1/" />
+
+4. Take note of the <Btn>SSO URL</Btn>, <Btn>Entity ID</Btn> and
+   <Btn>Certificate</Btn> values here, as we will need them when we finalize the
+   SAML integration in Cube Cloud. Click <Btn>Continue</Btn> to go to the next screen.
+
+<Screenshot src="https://ucarecdn.com/3f046773-d2d1-424f-a8f8-b023e4896eb1/" />
+
+5. Enter the following values for the <Btn>Service provider details</Btn>
+   section and click <Btn>Continue</Btn>.
+
+| Name      | Description                                                         |
+| --------- | ------------------------------------------------------------------- |
+| ACS URL   | Use the <Btn>Single Sign On URL</Btn> value from Cube Cloud         |
+| Entity ID | Use the <Btn>Service Provider Entity ID</Btn> value from Cube Cloud |
+
+<Screenshot src="https://ucarecdn.com/f7e49547-e0ad-4fa3-902b-536e5926a0bc/" />
+
+5. On the final screen, click <Btn>Finish</Btn>.
+
+6. From the app details page, click <Btn>User access</Btn> and ensure the app is
+   <Btn>ON for everyone</Btn>:
+
+<Screenshot src="https://ucarecdn.com/8e1696fa-828c-4be5-a1d8-81c7b054dadb/" />
+
+## Enable SAML in Cube Cloud
+
+In this step, we'll finalise the configuration by entering the values from our
+SAML integration in Google into Cube Cloud.
+
+1. From the same <Btn>Authentication & SSO > SAML 2.0</Btn> tab, click the
+   <Btn>Advanced Settings</Btn> tab:
+
+<Screenshot src="https://ucarecdn.com/5359c52e-69c1-45fa-baf2-d3bb07d72634/" />
+
+2. Enter the following values in the <Btn>SAML Settings</Btn> section:
+
+| Name                        | Description                                                        |
+| --------------------------- | ------------------------------------------------------------------ |
+| Audience (SP Entity ID)     | Delete the prefilled value and leave empty                         |
+| IdP Issuer (IdP Entity ID)  | Use the <Btn>Issuer</Btn> value from Google Workspace              |
+| Identity Provider Login URL | Use the <Btn>Sign on URL</Btn> value from Google Workspace         |
+| Certificate                 | Use the <Btn>Signing Certificate</Btn> value from Google Workspace |
+
+3. Scroll down and click <Btn>Save SAML 2.0 Settings</Btn> to save the changes.
+
+## Test SAML authentication
+
+To start using SAML authentication, use the
+[single sign-on URL provided by Cube Cloud](#enable-saml-in-cube-cloud)
+(typically `<YOUR_CUBE_CLOUD_URL>/sso/saml`) to log in to Cube Cloud.
+
+[google-docs-create-saml-app]: https://support.google.com/a/answer/6087519?hl=en