Configure Google as an IdP in the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Configure Google as an IdP in the Cloud Identity Engine
- Prepare to configure Google as an IdP in the Cloud Identity Engine.
- If you have not already done so, activate the Cloud Identity Engine app.
- In the Cloud Identity Engine app, selectandAuthenticationSP MetadataDownload SP MetadataSavethe metadata in a secure location.
- Log in to the Google Admin Console and select.AppsSAML Apps
- Select.Add AppAdd custom SAML app
- Enter anApp namethenContinueto the next step.
- ClickDownload MetadatatoDownload IdP metadatathenContinueto the next step.
- Copy the metadata information from the Cloud Identity Engine and enter it in the Google Admin Console as described in the following table thenContinueto the next step:Copy From Cloud Identity EngineEnter in Google Admin ConsoleCopy theEntity IDfrom the SP Metadata page.Enter it as theEntity ID.Copy theAssertion Consumer Service URL.Enter the URL as theACS URL.
- Add mappingto select theGoogle Directory attributesthen specify the correspondingApp attributes. Repeat for each attribute you want to use then clickFinishwhen the changes are complete.
- View detailsto specify the users and groups you want to authenticate with Google and enable the app to turn itON for everyonethenSaveyour changes.
- Selectto specify the users you want to authenticate using Google.DirectoryUsers
- Add Google as an authentication type in the Cloud Identity Engine app.
- SelectAuthentication Typesand clickAdd New Authentication Type.
- Set UpaSAML 2.0authentication type.
- Enter aProfile Name.
- SelectGoogleas yourIdentity Provider Vendor.
- Select the method you want to use toAdd MetadataandSubmitthe profile.
- If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
- In the Google Admin Console, select the Cloud Identity Engine app andDownload Metadata.
- ClickDownload Metadatathen copy the necessary information from Google and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:Copy or Download From Google Admin ConsoleEnter in Cloud Identity Engine IdP ProfileCopy theEntity ID.Enter it as theIdentity Provider ID.DownloadtheCertificate.Click to Uploadthe certificate from Google.Copy theSSO URL.Enter the URL as theIdentity Provider SSO URL.
- Select theHTTP Binding for SSO Request to IdPmethod you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (HTTP Redirect, which transmits SAML messages through URL parameters orHTTP Post, which transmits SAML messages using base64-encoded HTML).
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- If you want to upload a metadata file, download the metadata file from your IdP management system.
- In the Google Admin Console, select the Cloud Identity Engine app andDownload Metadata.
- ClickDownload MetadataandSavethe file to a secure location.
- In the Cloud Identity Engine app,Click to Uploadthe metadata file, thenOpenthe metadata file.
The Cloud Identity Engine does not currently support theGet URLmethod for Google. - Test SAML setupto verify the profile configuration.This step is required to confirm that your firewall and IdP can communicate.
- Select the SAML attributes you want the firewall to use for authentication andSubmitthe IdP profile.Select theUsername Attributeand optionally, theUsergroup Attribute,Access Domain,User Domain, andAdmin Role.