Gå til indhold
Dansk
Gå til www.northgrc.dk
  • Der er ingen forslag, da søgefeltet er tomt.

SAML SSO with Google

SAML and SSO

Security Assertion Markup Language (SAML) primary role in online security is enabling you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (Google IdP) and a web application (NorthGRC).


Web applications can leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security, primarily by avoiding the need to store passwords and not having to address forgotten password issues.


SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience.


The SAML protocol does not feature a direct communication between the Identity Provider (Google) and the Service Provider (NorthGRC), so it is not possible to import or synchronize users. Users are created in NorthGRC on-the-fly when they authenticate with the external SAML IdP (Google)



Configuration in Google part 1

First we will setup Google to allow NorthGRC as a Service Provider:

  • Go to Google Admin Console (admin.google.com)
  • Go to Apps > Web and mobile apps
  • Click Add App and then Add custom SAML app.
  • On the App Details page:
    • Name: NorthGRC
    • Description: Information Security Management System (ISMS)
  • Click Continue
  • On the Google Identity Provider details page:
    • Download the IDP metadata to a xml file

Configuration in NorthGRC

Before we continue with the Google configuration, we need some information from the service provider (NorthGRC).

  • Open a new page in your browser, and Go to your NorthGRC
  • Login with a User Manager account
  • Navigate to Settings -> User Directories
  • Select "Add SAML user directory"
  • Set the name as "Google" and check "Show button on login page" (NOT SSO)
  • Switch to tab "Identity Provider"
    • Locate the downloaded IDP metadata file and Upload it
  • Click the green Create button
  • Click the edit button on the new directory provider in the list
  • Switch to tab "SP Information"
    • Note or copy the information - or keep this page open when you continue with the Google configuration.

Configuration in Google part 2

  • in the Google configuration, Click Continue.
  • In the Service Provider Details window:
    • ACS URL: <assertion URL from NorthGRC configuration>
    • Entity ID:  <ID from NorthGRC configuration>
  • Click Continue
  • On the Attribute mapping page, add the attributes
    • Basic Information.First name -> givenName
    • Basic Information.Last name -> surname
    • Basic Information.Primary email -> email
    • Basic Information.Primary email -> uid
  • In the Group membership area
    • In Google groups, add all the groups that will be included if the user is a member of them.
    • Attribute name: affiliationGroups
  • Click Finish

Now we need to allow access to our users to use NorthGRC as a Service Provider

  • Go to Google Admin Console (admin.google.com)
  • Go to Apps > Web and mobile apps.
  • Click on NorthGRC in the list
  • Click User access
  • click On for everyone, and then click Save.

Testing

When testing the login, we recommend to use a new "incognito" mode for each test, so you are not using previous saved authentication.

Google error messages

Google describes the errors that are common in setting up SAML2 with Google Workspaces here:


https://support.google.com/a/answer/6301076