SAML Integration with G Suite (Google Apps)
- Stephen Call (Deactivated)
Problem
You want to integrate G Suite (Google Apps) for Single Sign-On via your PortalGuard Identity Provider.
Solution
Create a new SAML Relying Party within the Identity Provider Configuration Editor and make the necessary changes within the G Suite (Google Apps) Admin Dashboard panel.
Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.
Navigate to the SAML Websites tab and click on the 'Create' button to create a new Relying Party Configuration.
Give the new Relying Party a 'Name' and 'Description' that makes sense for this application (i.e. G Suite, Google Apps or Prod Google Domain, etc.).
Next to 'Identifiers' click on the 'Add' button.
You will need to add two (2) identifiers here:
google.com
google.com/a/<your.google.apps.domain>
Replace the final portion of this identifier with your G Suite (Google Apps) domain (i.e. google.com/a/portalguard.int)
For the 'Assertion Consumer URL', use the following format:
https://www.google.com/a/<your.google.domain>/acs
Important Note: You MUST include the 'www.' portion of the URL, otherwise the integration will fail.
As in step #4, ensure that you update the URL with the appropriate google domain (i.e. https://google.com/a/portalguard.int/acs)
Your final result should resemble the following:
Navigate to the Identity Claims tab.
Ensure the correct 'Attribute Store' is selected.
This value will determine where user information is pulled from during SSO Authentication.
Click the 'Create' button to add a new Identity Claim to this Relying Party configuration.
In the new window, input 'EmailAsNameID' for the 'Name' field.
Ensure the 'Send as NameID?' box IS CHECKED.
For the 'Schema Type' click on the 'Pre-defined Types...' button and choose the following entry from the drop-down:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Leave 'Value Type' set to 'String Field'.
Update the 'Field Name' to 'mail' (without the quotation marks).
Your end result should resemble the following:
Click 'Save'.
Click the 'Create' button to add a new Identity Claim to this Relying Party configuration.
In the new window, input 'Email' for the 'Name' field.
Ensure the 'Send as NameID?' box IS NOT CHECKED.
For the 'Schema Type' click on the 'Pre-defined Types...' button and choose the following entry from the drop-down:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Leave the 'Value Type' set to 'String Field'.
Update the 'Field Name' to 'mail' (without quotation marks).
Your end result should resemble the following:
Important Note: The main differences between these two claims are as follows:
The first is marked as 'NameID' while the second is not.
The 'Schema Type' differs between the two claims.
Both claims are required for SSO to Google Apps.
Click 'Save'.
Navigate to the IdP-Initiated tab.
Display Text:
This is the label of the tile that your users will see on the PortalGuard SSO Jump Page.
Help Text:
This is the information that will appear if users hover over the tile but do not click on it.
Display Image:
Click on 'Choose Image' and browse to the thumbnail image that you would like to display on the PortalGuard SSO Jump Page. If you prefer to add your own image instead of the provided thumbnail for G Suite (Google Apps), simply paste the new image into the C:\inetpub\PortalGuard\sso\img\ folder and select it here.
Navigate to the Response tab.
Update the 'Default RelayState' with an entry using the following format:
http://mail.google.com/a/<your.google.domain>
Be sure to replace the final portion of this URL with your G Suite (Google Apps) domain (i.e. http://mail.google.com/a/portalguard.int)
This will be used for IdP-Initiated Single Sign-On to redirect users to Gmail when the tile is clicked on the PortalGuard SSO Jump Page.
Your final result should resemble the following:
Click the main 'Save' button to save this configuration.
From the main screen of the Identity Provider Configuration Editor, click the 'Apply to Identity Provider' button.
Click the 'Sync' button.
Save a copy of the 'PG_IdP.cer' file from your PortalGuard server to the machine from which you will be making the administrative changes on the Google Domain. This file will be necessary to complete the integration.
The default location for the 'PG_IdP.cer' file is C:\Program Files\PistolStar\PortalGuard\
Navigate to the G Suite Admin Dashboard Panel.
i.e. https://www.google.com/a/cpanel/<your.google.domain>/Dashboard
Click on the 'Security' link:
Click on the 'Set up single sign-on (SSO)' link:
In the new section that appears, scroll down and click on the checkbox labeled 'Setup SSO with third party identity provider'.
Next to 'Verification Certificate' click on the 'Upload Certificate' link and select the 'PG_IdP.cer' file that was copied over from the PortalGuard server in step #33 above.
Update the remaining fields as noted here (replace YOUR.PORTALGUARD.SERVER in each URL with the base URL to your PortalGuard server/website):
Sign-in page URL:
https://YOUR.PORTALGUARD.SERVER/sso/go.ashx
Sign-out page URL:
https://YOUR.PORTALGUARD.SERVER/_layouts/PG/signout.aspx?ReturnURL=%2fsso%2fdefault.aspx
Change password URL:
https://YOUR.PORTALGUARD.SERVER/_layouts/PG/login.aspx?ReturnURL=%2fdefault.aspx&pgautopop=2
Your final result should resemble the following:
Click the 'Save' button to commit the changes.
Google SSO is either On or Off. If you click 'Save' with the 'Setup SSO with a third party identity provider' box checked, SSO will be 'On'. If you click 'Save' with the same box unchecked, SSO will be 'Off'.
Test the login by attempting to login to a Google Service with an email address in the now integrated domain OR login to PortalGuard and click on the G Suite (Google Apps) link on the SSO Jump Page.
