RapidIdentity Product Guides - 2019 Rolling Release

G Suite SAML Authentication Configuration

Google supports a SAML-based Single Sign-On service for its web-based applications.

With respect to the linked diagram in the previous sentence, the Partner (Identity Provider) is Identity Automation through RapidIdentity Federation.

The preliminary SAML authentication configuration steps require that both RapidIdentity Portal and RapidIdentity Federation (IdP) are internet accessible and are configured as described above.

Follow these steps to configure G Suite for SAML.

Google may update their set up sequence without notification and so the steps below may vary slightly.

  1. Access RapidIdentity Appliance | Configuration | IdP Configuration

  2. Click Click here to download the signing/encryption certificate used by the Identity Provider to download the certificate. 

  3. Keep this browser window open since the Base URL and the Logout URL are necessary during later steps.

  4. Authenticate to G Suite with an administrator account and click Security.

  5. Select Set up single sign-on (SSO)

  6. The Sign-in page URL is the IdP Base URL; the Sign-out page URL the logout URL.

  7. The Change password URL is the organization specific change password URL.

  8. Upload the IdP security certificate and ensure Use a domain specific issuer is unchecked. Network masks are optional and organization specific.

  9. When finished, click Save Changes.

  10. Select the IdP Configuration tab and click Register a New Service Provider and enter Google Apps in the name box and SAML in the description box.

  11. Expand SSO Advanced Settings and ensure the following settings with metadata, modifying the GOOGLE_DOMAIN as necessary. 

  12. SHA-1 or SHA-256 are the possible Signature Algorithms. To save, click the Register button.

  13. Click Edit Attributes

  14. The Current LDAP Attributes box details default RapidIdentity Appliance configuration settings. Ensure the Name ID Attribute and LDAP Attribute fields contain the value urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified, and that the LDAP attribute is mail.  

  15. When complete, return to the IdP Configuration page and select Edit Attribute Mappings.  

  16. Select the attribute labeled mail and click Add.

  17. Next, add the [INTERNAL] SAML Transient ID as a Denied Attribute.

  18. When complete, return to the IdP Configuration page and click rigger Service Reload, and after waiting for a sufficient interval, click Trigger Web Reload.

When both reloads are complete, access http://mail.google.com/a/{GOOGLE_DOMAIN}. A properly configured SAML authentication should direct to the user's homepage.