Enable Single Sign On via GSuite using SAML

  • Updated

    Resolution Intelligence Cloud ensures secure Single Sign On through Gsuite or Google workspace using SAML connection. This document provides the steps to configure G Suite for Single Sign On with Resolution Intelligence Cloud using SAML.

    With Google SSO, you can:

    • Enable your users to login to Google
    • Have centralized and easy control of the users

    Important: Refer to this article for details on how to reset MFA for a specific user if the user lost an MFA-enabled device.

    Prerequisites

    • Admin role in both Resolution Intelligence and GSuite

    Configuring SAML SSO in GSuite

    To set up SAML-based SSO in GSuite, follow the steps below.

    STEP 1:

    Set up your own custom SAML app

    1. Sign in to your Google Admin console.
      Sign in using an account with super administrator privileges (does not end in @gmail.com).
    2. In the Admin console, go to Apps - > Web and mobile apps.
    3. Click Add App -> Add custom SAML app.
    4. On the App Details page:
      1. Enter a name for custom app.
      2. (Optional) Upload an app icon. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.

    5. Click Continue.

    6. On the Google Identity Provider details page, get the setup information needed by the Netenrich:

      1. Download the IDP metadata.
      2. Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).

    7. Click Continue.

    8. In the Service Provider Details window, enter:

      • ACS URL: https://auth.netenrich.com/login/callback
      • Entity ID:  urn:auth0:prod-netenrich:<customername>saml
      • Start URL: https://auth.netenrich.com
        Note: For <customer name>, type your company name and it should be a unique name to identify the connection. Later, this name will be used to configure the SAML connection in Resolution Intelligence Cloud.
        For example, company name: ACME and its entity id is urn:auth0:prod-netenrich: acmesaml

    9. The default Name ID must be primary email.

    10. Click Continue

    Picture1.png

    STEP 2:

    Turn on your SAML app

    1. Sign in to your Google Admin console.
      Sign in using an account with super administrator privileges (does not end in @gmail.com).
    2. In the Admin console, go to Menu Apps -> Web and mobile apps.
    3. Select the app that you have created for Resolution Intelligence Cloud.
    4. Click User access.
    5. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
    6. (Optional) To turn a service on or off for an organizational unit:
      1. At the left, select the organizational unit.
      2. To change the Service status, select On or Off.
      3. Choose one:
        • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
        • If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
        • To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.
    7. Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.

    Configuring SAML SSO in Resolution Intelligence Cloud

    To configure SAML connection,

    1. From Resolution Intelligence Cloud home screen, click Configurations --> Authentication in the left menu
    2. Click Setup Provider under the SAML tile
      A New SAML Connection form appears
    3. Enter the following fields and click Create at the bottom of screen
    Field Description
    Connection name

    Logical identifier for your connection; it must be unique. Once set, this name can't be changed.
    For connection name, type the name in below format.
    <customername>saml
    NOTE: For “customername”, type your company name

    For example, if your company name is ACME and then type your connection name as acmesaml. It should be same as entity ID provided in the step 1 of Configuring SAML SSO in GSuite.
    Sign in URL SSO URL that you have noted down from GSuite SAML settings
    X509 Signing Certificate Select the certificate (i.e IDP metadata) that you have downloaded from GSuite SAML settings
    Sign out URL (Optional) Logout URL that you have noted down from GSuite SAML settings
    User ID Attribute Copy below URL for User ID Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Sign Request Algorithm  Optional
    Sign Request Digest Algorithm  Optional
    Protocol Binding  Optional
    Identity Provider Domains Enter a list of trusted domains which you want to be identified as identity providers. These are the domains that users accounts have. Examples : user login is user@contoso.com, enter contoso.com. If there are multiple domains, then enter all the domains as comma-separated list.

    4. You have established SAML connection successfully

    Invite User with SSO Integration

    • For users to be able to login using SSO, they must be re-invited using SSO connection.
    • An existing Owner/Global Admin user with local authentication logged in, add a new user with Owner role by enabling the newly created SSO integration in Resolution Intelligence Cloud.

    Picture12.png

    • Newly invited user will be redirected to GSuite for authentication.
    • For exists users with local authentication, users must be deleted and re-invited using SSO connection."

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.