Posted on

Single Sign-On with G-Suite SAML App

Organizations may enable users to sign in to PopeTech using Google G-Suite’s Single Sign-On by creating a custom SAML application.

Setup time: 15 min

Pre-requirements:

  • SSO settings must first be enabled within your account. To request SSO features, contact PopeTech support
  • Google G-Suite account with admin access

Overview:

  1. Create a custom SAML app within G-Suite
  2. Retrieve Google IdP Metadata for input into PopeTech
  3. Input SSO settings into PopeTech and generate SP Metadata file
  4. Retrieve PopeTech SP Metadata information for input into G-Suite SAML app
  5. Verify user SAML setting for user in PopeTech
  6. Verify user access to SAML app within G-Suite
  7. Sign-In Options

G-Suite – Create a Custom SAML App

Within your G-Suite account in the Unified Apps dashboard, create a new custom SAML app.

https://admin.google.com/ac/apps/unified

App name: PopeTech

Logo: Download the image below and upload

G-Suite – Retrieve Google IdP Metadata for input into PopeTech

  1. Copy the SSO URL provided and paste into your PopeTech SSO Settings in the Single Sign-On URL field
  2. Copy the Entity ID provided and paste into your PopeTech Identity Provider’s EntityID field
  3. Copy the Certificate provided and paste into your PopeTech IdP x509 Certificate field

Input SSO settings into PopeTech and generate SP Metadata file

To generate the requested ACS URL and Entity ID, fill out the remaining SSO settings within PopeTech and save them. Remaining PopeTech settings:

  • Use SAML SSO – Yes
  • Create new users automatically – Optional. Default to No. Selecting yes will allow previously setup IdP users to input their domain into the Pope Tech login form, redirect to their google login, and then redirect back to Pope Tech with a successfully created new user account with the given role (role for new users setting below).
  • Domain – Your unique domain. The domain that is set will allow domain users to trigger a redirect to your Identity Provider for SSO login.
  • Single Sign-Out URL – This is the URL that triggers a logout of your IdP’s SSO session. The logout URL for google can be found by going to accounts.google.com using a logged in user and copying the logout button URL (ex: https://accounts.google.com/Logout?ec=GAdAwAE)
  • Name Attribute – the name attribute must match the mapped name attribute that will be entered into your G-Suite SAML app in a later step. Suggested: name
  • Email Attribute – similar to the name attribute. Suggested: email
  • Other Unique Attribute: Custom field that is optional in place of the name or email attribute. Leave blank by default.
  • Name format: The name format must match your IdP name format setting. Default to Persistent
  • Role for New Users: Select the desired role for new SSO users to default to
  • Additional setting for request and assertion must match your IdP settings. Initially, you can enable only what is needed and add others once you get your initial integration working
    • Sign Authentication Request – Suggested: True/Checked
    • Sign Logout Request – Suggested: True/Checked
    • Sign Logout Response – Suggested: True/Checked
    • Request Signed Assertion – Google doesn’t support signed assertion at this time.
    • Request Encrypted Assertion
    • Request Encrypted Name ID

Save your settings and refresh the page. You will now have a generated Service Provider’s Metadata URL. Content from this file will be used to finalize your IdP (Google) SSO settings to finish the integration.

Retrieve PopeTech SP Metadata information for input into G-Suite SAML app

Return to G-Suite to continue your custom SAML app setup with the following settings:

  • ACS URL – The ACS URL can be found within your PopeTech Metadata file under the following value: <md:AssertionConsumerServiceLocation=”[ACS URL Here]”. This URL will be in the following format:
    • https://api.pope.tech/sso/########-####-####-####-############/acs
  • Entity ID – the Service Provider Entity ID is found within your PopeTech Metadata file under the following value: <mdEntityDescriptor entityID=”[Entity ID Here]”. Alternatively, this value is the same as the Metadata URL listed under Service Provider’s Metadata URL.  This ID will be in the following format:
  • Start URL (optional) – leave blank unless needed
  • Signed Response – this must match SP settings. Suggested: True/Checked
  • Name ID format – this value must match the Name format set in PopeTech. Suggested: Persistent
  • Attribute Mapping: app attributes must match the values set in PopeTech SSO settings. Suggested:
    • First name: name
    • Primary email: email

Finish/Save the app.

Verify user access to SAML app within G-Suite

Now that your app is created, you will need to allow G-Suite users access to the app. By default, a new app has no allowed users. Add groups or organizational units via the User access menu.

Verify user SAML setting for user in PopeTech

G-Suite users that have been allowed access to the new SAML app, will need to have their corresponding emails added as users into PopeTech with the option SSO User? enabled. The SSO User? setting can be found on the Edit User page.

Sign-In Options

On the PopeTech login screen, SSO-enabled users who input their email address will automatically be redirected to their G-Suite login page. Successful login to G-Suite will redirect the authenticated user back to Pope Tech

Alternatively, G-Suite users can now find the PopeTech app in their app menu within their account.