As part of an ongoing series, we’re helping to explain ways to configure SimpleSAMLphp as a centralized identity provider (IDP) for your organization.Last week, we integrated our existing SimpleSAMLphp server with Azure Active Directory so that we could use it as an identity provider for Microsoft’s Office 365. This week, we’ll do the same type of integration, but with Google’s G-Suite. When logging into tools like Gmail with our domain, users will be directed to our server for authentication instead.
Key ComponentsIn order to follow along with this tutorial, you’ll need access to the following components: SimpleSAMLphp Server – You can (and should) use the same server we’ve been working with for the past few weeks. As with last week, continuing to use Tozny for authentication is not a requirement so long as you have some authentication provider configured. Google G-Suite – a hosted suite of office productivity apps produced, hosted, and maintained by Google. If you’ve used Gmail or Google Docs you’ve used the free version; the G-Suite is the business-ready version that works with your own domain. You will need to set up an account and have administrator credentials.
As with previous weeks, we will assume the users’ authentication domain is somesite.com and the SimpleSAMLphp server is running on a dedicated subdomain like sso.somesite.com.
IDP and AuthenticationTo make things simpler, we’ll use the same configuration from our last few tutorials – you will have an authentication source called “somesite” that uses the “tozyauth:External” module for authentication against Tozny’s secure API. For reference, the configuration in authsources.php will look like:
'somesite' => array( 'toznyauth:External', 'realm_key_id' => 'sid_...', 'realm_secret_key' => '49f127...fd9', 'api_url' => 'https://api.tozny.com', 'attributes' => array( 'IDPEmail' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:emailAddress', ), ),The configuration in /metadata/saml-20-idp-hosted.php will look like:
$metadata['https://sso.somesite.com'] = array( // The hostname of the server this SAML entity will use. 'host' => 'sso.somesite.com', // X.509 key and certificate. Relative to the /cert directory. 'privatekey' => 'somesite.key', 'certificate' => 'somesite.crt', 'auth' => 'somesite', );
Remote Service ProviderFor this walkthrough, we will set up a new hosted service provider for G-Suite to use – this means telling SimpleSAMLphp what set of metadata to use when it prepares the SAML document after a user authenticates. To create the new service provider, add the following to /metadata/saml20-sp-remote.php, replacing somesite.com with the appropriate domain you’re configuring:
// Google configuration for Tozny IDP $metadata['google.com/a/somesite.com'] = array( 'AssertionConsumerService' => 'https://www.google.com/a/somesite.com/acs', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email', 'simplesaml.nameidattribute' => 'IDPEmail', 'simplesaml.attributes' => FALSE, );When Google redirects users to SimpleSAMLphp, the server will load this information and use it to prepare the SAML response and send it to the correct location (the AssertionConsumerService field above) when the user has completed authentication. Google uses the email address of the newly-logged-in user to identify them in their own system, so the “mail” field needs to be passed along as the primary identifier.
Configuring the G-SuiteConfiguring the Google side of things requires an administrator account and takes place entirely in the Google Admin Console at https://admin.google.com/somesite.com.
Note: Even when configuring Tozny’s app-powered authentication for your users, administrators will still need to use a password to login. This allows them to login independent of any external IDP configuration.After logging in, select the “Security” tile. Then scroll to the bottom of the page and click “Set up single sign-on (SSO).” The SSO configuration page has many options; we want to select the “Setup SSO with third party identity provider” section to configure the SimpleSAMLphp connection. The values that you need here are as follows:
- Sign-in page URL: https://sso.somesite.com/saml2/idp/SSOService.php
- Sign-out page URL: https://sso.somesite.com/module.php/core/authenticate.php?as=somesite
- Change password URL: https://sso.somesite.com/module.php/core/authenticate.php?as=somesite
Provisioning Users with GoogleCreating users is a two-step process. The users must exist both in Tozny’s system (or your chosen authentication service) to power authentication and in Google’s system to power licensing and authorization to various services. If you haven’t already created a user with Tozny, visit the admin portal and do so, setting the IDPEmail field to be equal to the email address the user will use when authenticating with Google (i.e. firstname.lastname@example.org).
If you’re using an authentication source besides Tozny, create your user there and set the IDPEmail appropriately.Now, return to the Google admin portal and select the “Users” tile. From here, you can create as many users as you need for your organization – just be sure the email addresses match those configured on the Tozny side.
Remember: Super users and administrators should still use passwords for authenticating against Google services so they can log in for management independently of the external IDP. This will help protect against potential outages should anything go wrong with either SimpleSAMLphp or the external IDP you use for authentication.