Configure G Suite as SAML IdP for GSA

Requirements

GSA Version 7.4.0.G.72 or later

Configure G Suite IdP

  1. Login to Google Admin console with administrator permission to add new apps.
  2. Go to Apps > SAML Apps and click “+” at the right bottom of the page to add a new SAML IDP (“Enable SSO for SAML Application”).
  3. Select the “Setup my own custom app” at the bottom of the window.

  4. You will see the “Google IdP Information” page. These settings has to be entered into GSA SAML configuration later (note down here, or you can view them later in the Security / Set up single sign-on (SSO)).

  5. Enter the desired “Application name” and “Description”

  6. Enter the “Service Provider Details” and click next.

    Settings Value Description
    ACS Url https://gsa.example.com/security-manager/samlassertionconsumer Assertion Consumer Service which is the GSA Security manager and the URL is your GSA’s URL + appended the “/security-manager/samlassertionconsumer” string.
    Entity ID http://google.com/enterpise/gsa/T4-AAAAAAAAAAA This is the GSA SAML entity ID, found at the Admin console: "Search > Secure Search > Access Control > SAML Issuer Entity ID”

    For more details please see “G Suite Administrator Help / SAML-based Federated SSO”.

  7. Click Finish (depending on your environment setup Attribute Mapping before).

  8. Open your SAML IdP for GSA under Apps > SAML Apps > Settings for SAML IdP for GSA, click the vertical “...” and choose “On for Everyone” (or the proper setting according your organization) to enable SAML IdP for all your users.

  9. Go to Security / Setup single sign-on (SSO) and download the certificate.

GSA Configuration

Make sure that the GSA can verify the trust chain of the SSL certificate used by the IdP. If necessary, install intermediate CA certificates.

  1. Open the Admin console and go to Search > Secure Search > Universal Login Auth Mechanisms > SAML.
  2. Select the proper “Credential Group” you want to use SAML authentication for, and give a proper “Mechanism Name” (select a name that makes it easy to identify once you search through the logs).
  3. Enter IDP Entity ID, and Login URL, which you can see on the Google Admin console under Security / Setup single sign-on (SSO).
  4. Download the certificate from Admin console and open the GoogleIDPCertificate-example.com.pem (with a text editor). Copy the contents to the “Public Certificate of IDP” text box in the GSA Admin console.

See this table for the relation of the settings:

GSA Admin Console Setting
(Search > Secure Search > Universal Login Auth Mechanisms > SAML)
Admin console Setting
(Security / Setup single sign-on (SSO) and download the certificate)
IDP Entity ID Entity ID
Login URL SSO URL
Public Certificate of IDP (version > 7.4)
Public Key of IDP (version <= 7.4)
Certificate Download (please see below)

Security Manager logs for successful authentication

160321 02:14:10.439:I 77 [.servlets.SamlAssertionConsumer.consumeAssertion] sid 8bfc0526a415d751ecb37172b54d4c5f: status code = urn:oasis:names:tc:SAML:2.0:status:Success

  160321 02:14:10.440:I 77 [.servlets.SamlAssertionConsumer.consumeAssertion] sid 8bfc0526a415d751ecb37172b54d4c5f: SAML subject "apps-gsa-user@example.com" verified until 2016-03-21T09:19:09.209Z
  …
  160321 02:14:10.444:I 77 [.authncontroller.AuthnSession.updateSessionState] sid 8bfc0526a415d751ecb37172b54d4c5f: Modify session state:
  add to http://google.com/enterprise/gsa/security-manager/APPS_SAML: {Verification: status=VERIFIED; expires at 2016-03-21T02:44:08.230-07:00; credentials {principal: Default:"apps-gsa-user@example.com"}}
Was this helpful?
How can we improve it?