Skip to Content

Configure Google SAML as an SSO Security Provider

This article steps through how to configure Google SAML as an SSO Security Provider in Vinyl. The Google SSO SAML configuration needs to be set up first, followed by configuring the Vinyl Security Provider information to connect to Google SAML.

Google SSO SAML

Google offers a SAML-based single sign-on (SSO) service that provides companies with control over the authorization and authentication of hosted user accounts that can access web-based entities. Vinyl acts as the identify provider and, when configured along with Google SSO, can be used to authenticate and authorize Users into a Vinyl app.

The Google SSO service is based on the SAML v2.0 specifications.

Google SSO Configuration Settings

To get started, first configure Google SAML Single Sign-On for use with your Vinyl app:

  1. Log into your Google Admin console
  2. Go to Menu > Apps > Web and mobile apps
  3. Click Add App > Add custom SAML App

  4. On the App Details page enter the name of the App along with the following information:

    googlesettings.png

    1. ACS URL: Corresponds with Sign In Provider URL. Note this must start with https://. Example: https://example.zudy.com/signin-{{ProviderName}}
    2. Entity ID: This is the audience you want to pass from the provider. Recommend using the same value as ACS URL.
    3. Start URL: The URL to redirect an authenticated user to, if they initiate the Sign On from the Google Tile in browser
    4. Name ID Format: The value Google will pass as the unique identifier for the user. Defaults to email if none is selected.
    5. SSO URL: The value used for the Request Redirect Endpoint Parameter in Vinyl
    6. Entity ID: The actual Entity ID needed to populate in the Vinyl configuration
    7. Certificate: You will need to download this and make note of the expiration date since this will need to be changed once the old certificate expires.

  5. On the Google Identity Provider details page get the information required for the Vinyl service provider:

    1. Copy the SSO URL and Entity ID and download the Certificate

    googlesettings2.png

Vinyl Security Provider

After the Google SSO Configuration is complete, you will configure Google in Vinyl as a SAML Security Provider.

providersettings.png

Google SAML Provider configuration example

Vinyl Configuration Specific to Google SSO

Follow the basic configuration for Vinyl as a SAML Security Provider. In addition, review and confirm the following settings which are specific to integration with Google SSO:

Settings

  • Name: Google
  • Type: SAML
  • Enabled: True

Tokens

  • Audience and Recipient: values must match the Entity ID value provided from Google. Example: https://vinyl.example.com/signin-Google
  • Entity ID: must match the second generated Google Entity ID value

Endpoints

  • RelayState URI: is a configured Endpoint with the value of "/". This allows the Google Tile to initiate the authentication flow.

Properties

  • AllowRelayStateRedirects: is a configured Property with the value of True. This allows the Google Tile to initiate the authentication flow.
  • SignatureRequirement: is a configured Property with the value of AssertionOrResponse. This is optional but recommended.

Claims

  • Configure a Claims record to instruct how to handle the identity creation and group mapping, if required. Example: Names ID is a Usage type, with email as the Identifier value.

Lastly you will need to upload the Certificate information downloaded from Google.

  1. Click + Certificate from the Certificates area on Provider settings
  2. Select Signature Validation Certificate for Usage
  3. Select X.509 Certificate for Format
  4. Enter the Google Certificate information. Be sure to remove the start and end notation from the certificate.

Resources