Using GSuite as a SAML Provider

When configuring GSuite as a SAML Provider the basic steps to set up the foreign system are the same as provided under the "Setting up a SAML Integration" topic. There are a couple of extra points to note that might not be intuitive enough when following the Google documentation for the SAML setup.

External References

  • Google: https://support.google.com/a/answer/6087519

Clarification of Steps in GSuite

When you are following the recommended steps to create a custom SAML application in GSuite, you will be shown a number of fields that you will need to use when configuring Privilege Manager. GSuite provides a test via their SAML apps | Test dialog. On that page in combination with an option to Download Metadata, the data provided needs to be used to edit/complete the GSuite foreign systems setup in Privilege Manager. It might be best to keep the GSuite app configuration page and Privilege ManagerConsole open in two different browser Windows for easy retrieval of data.

  1. Go to your G-Suite app that you have configured in your browser and view the details.

  2. Your browser URL, which will be similar to this https://admin.google.com/u/1/ac/apps/saml/241286142839, contains your AppID, which is the number string at the end of the URL, 241286142839 from this example.

    Copy your AppID from your URL. It needs to be added on the foreign systems page.

  3. From the download metadata page, copy your Entity ID and and download the Certificate. You will need to upload this certificate in Privilege Managerlater.

  4. For the ACS URL field, enter https://your-server.privilegemanagercloud.com/Tms/saml2/acs.

  5. For the Entity ID field, enter PrivilegeManagerServiceProvider.

  6. Leave the Start URL blank.

  7. Check the Signed response box.

  8. For the Name ID Format field, select Email.

  9. For the Name ID field, select Basic Information | Primary email.

Steps in the Privilege ManagerConsole

  1. In Privilege Manager, navigate to Admin | Foreign Systems and create a new SAML provider.

  2. Enter values, for

    1. Issuer, enter the Entity ID that was provided from your GSuite custom app.
    2. Single Sign On URL, enter the browser URL containing the AppID string as as https://accounts.google.com/o/saml2/initsso?idpid=<idpid>&spid=<AppID>&forceauthn=false.
      1. Replace <AppID> with your AppID value from step 2 under "Clarification of Steps in GSuite".
      2. Replace <idpid> with your application's Entity ID from step 3.
    3. Certificate, upload the downloaded certificate via Choose File.
  3. Verify the page contains all the required data, refer to this example:

    alt

Next Step - Authentication Provider

To enable this new SAML provider to be used from the Login page, visit the Authentication tab and select your GSuite Foreign System from the listed providers. Refer to Managing Auth Providers.

After saving or enabling authentication providers, you may notice a short delay of unresponsiveness in your browser as the Privilege Managerapplication pools restart automatically.