Set up Google Apps

Configuring Google Apps to authenticate with SAML2 enterprise authentication using Ipsilon.

This guide describes how to set up Google Apps to authenticate against Ipsilon as a SAML2 SP.

This guide has been tested with:

• Enterprise Linux 7.2
• Ipsilon 1.0.0 (Tech Preview in EL7.2)

but is known to work with other versions.

Prerequisites:

• FreeIPA installed and configured
• Ipsilon installed and configured on an IPA client host

Configure Ipsilon

Go to your Ipsilon web management URL, and login as an administrator account. Then go to Administration -> Identity Providers -> SAML2 -> Manage, and click Add New. For name you can enter anything you like, for Metadata text enter (replacing "mydomain.com" twice with your Google Apps domain name):

<EntityDescriptor entityID="google.com/a/mydomain.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="https://www.google.com/a/mydomain.com/acs" />
    </SPSSODescriptor>
</EntityDescriptor>

Now click Add.

Configure Google Apps

• Go to https://admin.google.com/ and log in with your admin account.
• Click the Security link (you might need to click on More Controls to see it if you don't use it often).
• Expand "Set up Single sign-On (SSO)"
• Scroll down, and check the checkbox next to "Setup SSO with third party identity provider"
• For Sign-in page URL, enter: https://myidp.example.com/idp/saml2/SSO/Redirect
• For sign-out page URL, enter: https://myidp.example.com/idp/logout
• For Change password URL, enter any page where the users can change their password
• For Verification Certificate, upload the file that's on Ipsilon as /var/lib/ipsilon/idp/saml2/idp.pem
• Check the "Use a domain specific issuer" checkbox
• Hit Save

Now wait about 15 minutes for Google to sync this out.

Try it out

Log out if you are logged in. Go to any Google login page, and enter your Apps email address. You should now be forwarded to Ipsilon to log in, and afterwards sent back to Google, logged in.

Note: Google will not redirect you to Ipsilon if you enter an Admin account email address or one that is unknown to them.

References

• Google Apps SAML documentation