This article describes the procedure for configuring single sign-on via GSuite using SAML integration with Resolution Intelligence Cloud.
Resolution Intelligence Cloud ensures secure Single Sign-on through Gsuite or Google Workspace using SAML connections. This document provides the steps to configure G Suite for Single Sign-On with Resolution Intelligence Cloud using SAML.
With Google SSO, you can:
- Enable your users to login to Google
- Have centralized and easy control of the users
Important: Refer to this article for details on how to reset MFA for a specific user if the user lost an MFA-enabled device.
Prerequisites
- Admin role in both Resolution Intelligence and GSuite
Configuring SAML SSO in GSuite
To set up SAML-based SSO in GSuite, follow the steps below.
STEP 1:
Set up your own custom SAML app
- Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com). - In the Admin console, go to Apps - > Web and mobile apps.
- Click Add App -> Add custom SAML app.
- On the App Details page:
- Enter a name for the custom app.
- Optional: Upload an app icon. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.
5. Click Continue.
6. On the Google Identity Provider details page, get the setup information needed by Netenrich:
-
- Download the IDP metadata.
- Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).
7. Click Continue.
8. In the Service Provider Details window, following these steps according to your specific region:
US Region:
If your login URL to RIC App is https://app.netenrich.com
-
-
-
In the Entity ID, type urn:auth0:prod-netenrich:customernamesaml
NOTE: For <customer name>, type your company name and it should be a unique name to identify the connection. Later, this name will be used to configure the SAML connection in Resolution Intelligence Cloud.
For example, company name: ACME and its entity id is urn:auth0:prod-netenrich: acmesaml - In the ACS URL field, type https://auth.netenrich.com/login/callback
- In Start URL field, type https://auth.netenrich.com
-
In the Entity ID, type urn:auth0:prod-netenrich:customernamesaml
-
India Region:
If your login URL to RIC App is https://in-app.netenrich.com
-
-
- In the Entity ID, type urn:auth0:prod-in-netenrich:customernamesaml
-
NOTE: For <customer name>, type your company name and it should be a unique name to identify the connection. Later, this name will be used to configure the SAML connection in Resolution Intelligence Cloud.
For example, company name: ACME and its entity id is urn:auth0:prod-netenrich: acmesaml - In the ACS URL field, type https://in-auth.netenrich.com/login/callback
- In Start URL field, type https://in-auth.netenrich.com
-
EU Region:
If your login URL to RIC App is https://eu-app.netenrich.com
-
-
- In the Entity ID, type urn:auth0:prod-netenrich:customernamesaml
NOTE: For “customername”, type your company name - In the ACS URL field, type https://eu-auth.netenrich.com/login/callback
- In Start URL field, type https://eu-auth.netenrich.com
- In the Entity ID, type urn:auth0:prod-netenrich:customernamesaml
-
9. The default Name ID must be primary email.
10. Click Continue
STEP 2:
Turn on your SAML app
- Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com). - In the Admin console, go to Menu Apps -> Web and mobile apps.
- Select the app that you have created for Resolution Intelligence Cloud.
- Click User access.
- To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
- (Optional) To turn a service on or off for an organizational unit:
- On the left, select the organizational unit.
- To change the Service status, select On or Off.
- Choose one:
- If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
- If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
- To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.
- Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.
Configuring SAML SSO in Resolution Intelligence Cloud
To configure SAML connection,
- From Resolution Intelligence Cloud home screen, click Configurations --> Authentication in the left menu
- Click Setup Provider under the SAML tile
A New SAML Connection form appears - Enter the following fields and click Create at the bottom of screen
Field | Description |
Connection name |
Logical identifier for your connection; it must be unique. Once set, this name can't be changed. For example, if your company name is ACME and then type your connection name as acmesaml. It should be same as entity ID provided in the step 1 of Configuring SAML SSO in GSuite. |
Sign in URL | SSO URL that you have noted down from GSuite SAML settings |
X509 Signing Certificate | Select the certificate (i.e IDP metadata) that you have downloaded from GSuite SAML settings |
Sign out URL | (Optional) Logout URL that you have noted down from GSuite SAML settings |
User ID Attribute | Copy below URL for User ID Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
Sign Request Algorithm | Optional |
Sign Request Digest Algorithm | Optional |
Protocol Binding | Optional |
Identity Provider Domains | Enter a list of trusted domains with which you want to be identified as identity providers. These are the domains that user accounts have. Examples: user login is user@contoso.com, enter contoso.com. If there are multiple domains, then enter all the domains as a comma-separated list. |
Multifactor Authentication | Multi-Factor Authentication (MFA) can be enabled or disabled at any point during or after setting up the Single Sign-On (SSO) Connection. It is important to note that MFA functionality is exclusive to the SSO connection and applies solely to users logging in via the domain specified under "identity provider domains." By default, MFA is disabled. To activate it, tick mark the checkbox labelled "Enable MFA while user login." |
4. You have established SAML connection successfully
Invite User with SSO Integration
- For users to be able to login using SSO, they must be re-invited using the SSO connection.
- An existing Owner or Global Admin user with local authentication logged in, add a new user with Owner role by enabling the newly created SSO integration in Resolution Intelligence Cloud.
3. A newly invited user will be redirected to GSuite for authentication.
4. For existing users with local authentication, users must be deleted and re-invited using an SSO connection."
Comments
0 comments
Please sign in to leave a comment.