- 05 May 2022
- 6 Minutes to read
- Print
- DarkLight
Configuring SAML SSO with Google
- Updated on 05 May 2022
- 6 Minutes to read
- Print
- DarkLight
Configuring SAML SSO with Google
Google supports a SAML-based Single Sign-On service for its web-based application to configure your Identity Provider (IdP) server connection. In the information provided in the link above, the third-party identity provider is Identity Automation through RapidIdentity Federation.
The preliminary SAML authentication configuration steps require that both RapidIdentity Portal and RapidIdentity Federation IdP are internet accessible and are configured as described.
Follow these steps to configure G Suite for SAML. A G Suite Admin Console login is required to complete this configuration.
Note: Google may update their setup sequence without notification, therefore, the steps below may vary slightly.
Launch the Identity Provider Configuration Workspace
- From the RapidIdentity Configuration Module, select Identity Providers from the Security menu.
- The Identity Provider Configuration workspace will launch.
- Click Download the certificate used by the Identity Provider (.pem)to download the certificate.
- Keep this browser window open as the Base URL and Logout URL are necessary during upcoming steps. At that time, the certificate will be uploaded to the G-Suite Admin portal.
Set up SSO in the G Suite Admin Console
- In a different browser window, authenticate to G Suite Admin Console with an administrator account and click Security.
- Click Set up single sign-on (SSO) with a third party IdP.
- For the Third-party Identity Provider section, enter the information as described below: Sign-in page URL and the Sign-out page URL.
- Enter the Sign-in page URL.
- Enter the Sign-out page URL.
Note : The base URL for these values must be entered using the format "**/idp/profile/SAML2/Redirect/SSO" - Click REPLACE CERTIFICATE to upload the certificate that was downloaded in Step 3.
- Click Save at the bottom of the page to save the configuration.
- Click Download IDP Metadataand copy the information to the clipboard. The metadata ends with "."
- Create a SAML 2.0 Federation Partner for G Suite
- In the RapidIdentity Configuration module, click Federation Partners from the Identity Providers section.
- Click the Add Federation Partner drop-down button and select SAML 2.0.
- In the RapidIdentity Configuration module, click Federation Partners from the Identity Providers section.
- The Federation Partners>Community-SAML Relying Parties workspace will launch.
Tip: The Community contains the basic configuration for commonly used SAML Relying Parties. Before manually adding a new SAML Relying Party, search the Community for the G-Suite entry. The Community will be updated on an ongoing basis with new SAML Relying Parties. - Click Create SAML Relying Party+. Enter the following information in the Federation Partners > Create SAML Relying Party window.
- The tables and respective screens below depict the values that are to be entered for each section, "General," and "SSO Settings," for the G Suite Relying Party registration in the Register SAML Relying Party window.
- The tables and respective screens below depict the values that are to be entered for each section, "General," and "SSO Settings," for the G Suite Relying Party registration in the Register SAML Relying Party window.
General
Field | Value |
Name | G-Suite |
Description | G Suite SAML Authentication Configuration |
Metadata |
|
- Click SSO Settings at the bottom of the General page to expand the SSO Settings options.
SSO Advanced Settings
Field | Value | Description |
Include SAML2 Attribute Statement | True | If selected, the SAML2 SSO Assertion generated for this Relying Party will contain an <AttributeStatement> element. |
SAML2 SSO Assertion Lifetime |
| Defines the period of time that a SAML2 SSO Assertion generated for this Relying Party will be valid in hours, minutes, and seconds. This setting directly affects the "NotOnOrAfter" attribute in the SAML Assertion, which indicates to the Relying Party who receives the Assertion that the Assertion should only be considered valid if it is received before this time instance. |
Sign SAML2 SSO Response | Conditional | Determines if the SAML2 SSO Responses should be cryptographically signed. The default value is "Conditional" and should be used to query for assertions that meet particular criteria. Choose "Always" to enable signatures on the Response and "Never" to disable signatures on the Response. |
Sign SAML2 SSO Assertions | Never | Determines if the SAML2 SSO Assertions should be cryptographically signed. Choose "Always" to enable signatures on the Response and "Never" to disable signatures on the Response. |
Encrypt SAML2 SSO Assertions | Never | Determines if the SAML2 SSO Assertions should be encrypted. Note: this is only possible if the IdP is provided with an "encryption" certificate in the SAML metadata for the Relying Party. Choose "Always" to enable encryption and "Never" to disable encryption. Default value is "Conditional." |
Encrypt SAML2 SSO Name IDs | Never | Determines if the Name IDs present in the SAML2 SSO Assertions should be encrypted. Note: this is only possible if the IdP is provided with an "encryption" certificate in the SAML metadata for the Relying Party. Choose "Always" to enable encryption and "Never" to disable encryption. |
Signature Algorithm | SHA-1 | The algorithm to use when cryptographically signing the SAML2 SSO Responses and/or SAML2 SSO Assertions.
|
Skip Endpoint Validation When Signed | False | If the <AuthnRequest> is cryptographically signed, and if the IdP can successfully verify that signature by using a public signing key present in the Relying Party's metadata, then the IdP can be instructed to comply with an un-recognized Assertion Consumer Service URL by enabling this option. |
Enable ECP Settings | False | When selecting the Enable ECP Settings checkbox, the ECP Settings section will become available beneath the SSO Settings along with the configuration options. In this case, ECP settings are not to be enabled. |
Define the LDAP Attributes
SAML Service Providers typically define one or more attributes required from the Identity Provider to release to Google during SAML authentication about the authenticating user. These attributes are typically things like Email and Name, but could also be things like Group Membership.
- From the Security menu, access the SAML 2.0 Federation Partner that was created earlier in this process. Click SAML Attributes at the bottom of the workspace to view or add attributes.
- In this example, the Name ID will be the attribute used for authentication.
- A SAML assertion typically contains a single "Name ID" attribute and 0 or more other attributes about the authenticated user.
- A Name ID attribute is typically the main identifier of the user and is associated with a particular "Name Format." The Name Format generally indicates the type of value to the Relying Party.
- For example, a value of "urn:oasis:names:tc:SAML:2.0:nameid-format:email" indicates that the Name ID attribute is an email address.
- A value of "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" indicates the value is of an "unspecified" type.
- The Federation Partners > SAML Attributes workspace will load. Click the Name ID tab.
- Enter Name ID for the LDAP Attribute, and select the Name Format Friendly Name from the drop-down list. In this example, the name format is an email address.
- Click Save.
- The Name ID attribute will now be populated in the workspace.
- From the newly added Name ID Attribute, Click Edit.
- The urn will be similar to this: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified." Ensure the SAML version and the format matches the information that is in the metadata from G Suite. In this case, the updated urn will be" urn:oasis:names:tc:SAML:2.0:nameid-format:email ." Click Save.
Note: Editing attributes creates a link from the LDAP attributes to the “Name Format” defined by the service provider. Editing attribute mappings specifies which attributes to allow or deny for a specific service provider. It is often recommended to deny the [INTERNAL] SAML Transient ID as, in many cases, it conflicts with some service providers. [INTERNAL] attributes are the attributes defined by default by Rapid Identity to process SAML interactions between internal apps like the Portal and Connect. - A service reload is required.
- Navigate to IDP Configuration.
- Click Trigger Service Reload in the action bar buttons.
- A confirmation message will appear briefly at the top of the workspace.
- Navigate to the G Suite Admin console, Security section.
- Select Set up single sign-on (SSO).
- Enter the data fields that were entered in step 2a. These values will vary based on the setup.
- The Sign-in page URL is the IdP Base URL to sign in to your system and G Suite.
- The Sign-out page URL is the Logout URL for redirecting users to sign out.
- The Change password URL is the organization-specific URL to allow users to change their password.
- Upload the IdP security certificate and ensure Use a domain-specific issuer is unchecked. Network masks are optional and organization-specific.
- Create a G Suite App link in the RapidIdentity Portal's Admin Applications Module
- Once the application is created, click the icon in the portal to initiate a valid IdP initiated SAML connection to your G-Suite tenant.
- Access http://mail.google.com/a/{GOOGLE_DOMAIN}to be directed to a user's homepage.