Configure Google as an IdP in the Cloud Identity Engine
Prepare to configure Google as an IdP
in the Cloud Identity Engine.
If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Authentication
SP Metadata
Download SP Metadata
and
Save
the
metadata in a secure location.
Log in to the Google Admin Console and select
Apps
SAML Apps
.
Select
Add App
Add custom SAML app
.
Enter an
App name
then
Continue
to
the next step.
Click
Download Metadata
to
Download
IdP metadata
then
Continue
to
the next step.
Copy the metadata information from the Cloud Identity Engine
and enter it in the Google Admin Console as described in the following table
then
Continue
to the next step:
Copy From Cloud Identity Engine
Enter in Google Admin Console
Copy the
Entity ID
from
the SP Metadata page.
Enter it as the
Entity ID
.
Copy the
Assertion Consumer Service
URL
.
Enter the URL as the
ACS URL
.
Add mapping
to select the
Google
Directory attributes
then specify the corresponding
App
attributes
. Repeat for each attribute you want to use
then click
Finish
when the changes are complete.
View details
to specify the
users and groups you want to authenticate with Google and enable
the app to turn it
ON for everyone
then
Save
your
changes.
Select
Directory
Users
to specify the users
you want to authenticate using Google.
Add Google as an authentication type in the Cloud Identity Engine
app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
Google
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In the Google Admin Console, select the Cloud Identity Engine app
and
Download Metadata
.
Click
Download Metadata
then copy the
necessary information from Google and enter it in the IdP profile
on the Cloud Identity Engine app as indicated in the following table:
Copy or Download From Google Admin Console
Enter in Cloud Identity Engine IdP Profile
Copy the
Entity ID
.
Enter it as the
Identity Provider ID
.
Download
the
Certificate
.
Click to Upload
the certificate
from Google.
Copy the
SSO URL
.
Enter the URL as the
Identity Provider
SSO URL
.
Select the
HTTP Binding for SSO Request to IdP
method
you want to use for the SAML binding that allows the firewall and
IdP to exchange request and response messages (
HTTP Redirect
,
which transmits SAML messages through URL parameters or
HTTP
Post
, which transmits SAML messages using base64-encoded
HTML).
Specify the
Maximum Clock Skew (seconds)
, which
is the allowed difference in seconds between the system times of the
IdP and the firewall at the moment when the firewall validates IdP messages
(default is 60; range is 1–900). If the difference exceeds this value,
authentication fails.
If you want to upload a metadata file, download the metadata
file from your IdP management system.
In the Google Admin
Console, select the Cloud Identity Engine app and
Download
Metadata
.
Click
Download Metadata
and
Save
the
file to a secure location.
In the Cloud Identity Engine app,
Click to Upload
the
metadata file, then
Open
the metadata file.
The
Cloud Identity Engine does not currently support the
Get
URL
method for Google.
Test SAML setup
to verify the
profile configuration.
This step
is required to confirm that your firewall and IdP can communicate.
Select the SAML attributes you want the firewall to use
for authentication and