To enable SSO to GSuite using SAML, you will need to configure both GSuite and OpenIAM. The following section describes how to configure both.
To configure the GSuite side, login to the GSuite admin console at:
- Open the
Securitysection as shown in the diagram below
- Open the section titled
Setup sigle sign-on (SSO) with a third party IdPas shown below.
- GSuite will present the form shown below to capture details about the IdP. Complete the form as shown below.
|Set up SSO with third-party Identity Provider||Enable this checkbox. This flag enables / disables integration with a third party IdP such as OpenIAM.|
|Sign-in page URL||URL to sign-in to OpenIAM. |
|Sign-out page URL||URL where users are redirected after they logout. |
|Certificate file upload||Upload the certificate that you created here|
|Use a domain specific issuer||Enable this checkbox. This is especially important if you are integrated with multiple GSuite tenants.|
|Change password URL||URL to change password using the OpenIAM IdP. |
Configure OpenIAM IdP
The OpenIAM IdP must be configured to support the service provider. The step below describe this process.
- Login to the OpenIAM Webconsole
- Go to Access Control -> Authentication Provider -> Create new Provider
SAML IdPfrom the dropdown. This means that OpenIAM is acting as the IdP.
- Complete the form as described in the table below
|Provider Name||Descriptive name that will help you identify this integration; ie. |
|Application URL||Refers to your GSuite tenant |
|Linked to Managed System||OpenIAM allows you to have a different identity for each application. This configuration indicates which identity should be used for this integration with GSuite. If you are using OpenIAM to also manage the user life cycle in GSuite, then you should select the 'GSuite Managed System'.|
|Assertion Consumer URL||Endpoint on the service provider where the IdP will "POST" its authentication response |
|Request Issuer||This is the URL of your service provider |
|SAML Signed Requests||Enable this checkbox as its signs your requests.|
|Digest Algorithm||The SAML digest algorithm is part of the validation process to ensure the integrity of the request. Select |
|Signature Algorithm||Select |
|Sign Assertions||Enable this checkbox|
|Public key for validating signatures||Update the certificate created earlier. The certificate will be used for validating the signature.|
|Name ID Format||Select |
|SLO Binding||Defines how the Single logout request should be exchanged. Select |
|Relay state strategy||URL that users will be directed to after a successful authentication using SAML. Select |
With the IdP / SP configuration complete, return the SAML configuration page and follow the steps to "Grant access to your application".