GSuite SSO

To enable SSO to GSuite using SAML, you will need to configure both GSuite and OpenIAM. The following section describes how to configure both.

Configure GSuite

To configure the GSuite side, login to the GSuite admin console at: https://admin.google.com/

  • Open the Security section as shown in the diagram below

Gsuite security

  • Open the section titled Setup sigle sign-on (SSO) with a third party IdP as shown below.

Gsuite idp

  • GSuite will present the form shown below to capture details about the IdP. Complete the form as shown below.
Field NameDescription
Set up SSO with third-party Identity ProviderEnable this checkbox. This flag enables / disables integration with a third party IdP such as OpenIAM.
Sign-in page URLURL to sign-in to OpenIAM. https://[your openiam instance]/idp/saml2/idp/login
Sign-out page URLURL where users are redirected after they logout. https://[your openiam instance]/idp/saml2/idp/logout
Certificate file uploadUpload the certificate that you created here
Use a domain specific issuerEnable this checkbox. This is especially important if you are integrated with multiple GSuite tenants.
Change password URLURL to change password using the OpenIAM IdP. http://[your openiam instance]]/idp/changePwd.html

Gsuite configuration

Configure OpenIAM Authentication provider

The OpenIAM IdP must be configured to support the service provider. The step below describe this process.

  • Login to the OpenIAM Webconsole
  • Go to Access Control -> Authentication Provider -> Create new Provider
  • Select SAML IdP from the dropdown. This means that OpenIAM is acting as the IdP.
  • Complete the form as described in the table below
Field NameDescription
Provider NameDescriptive name that will help you identify this integration; ie. GSuite
Application URLRefers to your GSuite tenant https://mail.google.com/a/[your gsuite domain]
Linked to Managed SystemOpenIAM allows you to have a different identity for each application. This configuration indicates which identity should be used for this integration with GSuite. If you are using OpenIAM to also manage the user life cycle in GSuite, then you should select the 'GSuite Managed System'.
Assertion Consumer URLEndpoint on the service provider where the IdP will "POST" its authentication response https://www.google.com/a/[your gsuite domain]/acs
Request IssuerThis is the URL of your service provider http://google.com/a/[your gsuite domain]
SAML Signed RequestsEnable this checkbox as its signs your requests.
Digest AlgorithmThe SAML digest algorithm is part of the validation process to ensure the integrity of the request. Select SHA-256 from the dropdown
Signature AlgorithmSelect http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 from the dropdown.
Sign AssertionsEnable this checkbox
Public key for validating signaturesUpdate the certificate created earlier. The certificate will be used for validating the signature.
Name ID FormatSelect urn:oasis:name:tc:SAML:1.1:nameid-format:emailAddress
SLO BindingDefines how the Single logout request should be exchanged. Select POST
Relay state strategyURL that users will be directed to after a successful authentication using SAML. Select Default Relay State Strategy

OpenIAM configuration

With the IdP / SP configuration complete, return the SAML configuration page and follow the steps to "Grant access to your application".