27.9 Configuring Integration with Google G Suite

This section provides the configuration information on integrating Advanced Authentication with Google G Suite. This integration secures the connection.

The following diagram represents Advanced Authentication in Google G Suite.

To configure the Advanced Authentication integration with Google G Suite using SAML 2.0, perform the following configuration tasks:

NOTE:As a prerequisite, ensure that you finalize the setup of G Suite by accepting the agreement and clicking Finalize setup.

27.9.1 Configuring the Advanced Authentication Event

  1. Open the Advanced Authentication Administration portal.

  2. Click Events > Add to add a new event with the following options:

    1. Name: Google

    2. Chains: select the required chains.

    3. Click Browse to upload the XML file.

    4. Set Send E-Mail as NameID (suitable for G-Suite) to ON. This is applicable for the G-Suite.

    5. Click Save.

27.9.2 Configuring to Authenticate on Google G-Suite with SAML 2.0

In Policies > Web Authentication, set Identity provider URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.

NOTE:To use multiple Advanced Authentication servers with SAML 2.0, you must do the following:

  1. Configure an external load balancer.

  2. Specify the address in Identity provider URL instead of specifying an address of a single Advanced Authentication server.

27.9.3 Obtaining the Signing Certificate of Advanced Authentication

  1. Click Server Options in the Advanced Authentication Administration portal.

  2. Verify whether the Signing Certificate is available. Use the certificate.

  3. If the certificate does not exist, then upload the certificate.

  4. Navigate to Policies > Web Authentication and click Download IdP SAML 2.0 Metadata.

    A new tab launches with the SAML 2.0 metadata that includes the certificate in x.509 format.

  5. Find the tag <ds:X509Certificate> and copy the certificate that follows to a notepad file.

  6. Add the ---BEGIN CERTIFICATE ------------ at the beginning and ---END CERTIFICATE------------ at end of the certificate in the notepad file.

  7. Save the notepad file for further use.

27.9.4 Configuring Google G Suite

  1. Login to the Google’s Administration console.

  2. Open the Security section.

  3. Expand Set up single sign-on (SSO).

  4. Enable Setup SSO with third party identity provider.

  5. Specify the following parameters:

    1. Sign-in page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/auth/saml2/sso. Replace AdvancedAuthenticationServerAddress with the domain name or IP address of your Advanced Authentication server.

    2. Sign-out page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/auth/app/logout.

    3. Change password URL: https://<AdvancedAuthenticationServerAddress> or Self-Service Password Reset URL.

    4. Upload the Identity Provider Signing Certificate that you downloaded in Step 6 of section 27.9.3.

  6. Clear Use a domain specific issuer if you have one domain in G Suite or select the option if you have more than one domain in G Suite.

    Ensure that you have a user account in a repository that corresponds to a user account in Google. An email address specified in the Contact information for the Google account must be the same as an address from email attribute for the corresponding account of your repository.

    NOTE:You cannot use the Google administrator account with SAML.

  7. Create a new text file and add the Service Provider metadata.

    Sample metadata is as follows:

    <EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mycompany.com" /> </SPSSODescriptor> </EntityDescriptor>

    Replace mycompany.com in the Location URL to your primary domain from the Domains settings in Google.

    NOTE:It is not recommended to use the sample metadata in the production environment.

    NOTE:You must use the Service Provider metadata when one domain exists in the G Suite. If you have more than one domain in G Suite, then every Service Provider metadata for each domain must have google.com as an entityID replaced with google.com/mycompany.com, where mycompany.com is your domain name.

  8. Save the text file with a.xml extension.

27.9.5 Verifying Single Sign-on to Google Suite

Open the Google Sign in page and specify an email address of the user from Basic information of the Google account (email address of Google account). Google redirects to the Advanced Authentication server, where the user must authenticate. After successful authentication, the Advanced Authentication server redirects the user back to Google.