Google Single Sign On

Follow

Google G Suite (formerly Google Apps) can now be used as a SAML 2.0 IdP.

When SSO is enabled, users who login into the Ensemble are redirected to the Google login page.  After successful authentication, they are directed back to the Ensemble.

There are 5 steps required to setup Google SSO in Ensemble

A) Install and configure Shibboleth Service Provider V3
B) Optionally Install and Configure Embedded Discovery Service
C) Setup Google SAML IdP
D) Define custom attributes
E) Configure Ensemble Identity Provider

A. Install and configure Shibboleth Service Provider V3

1) Download Shibboleth Service Provider from 

    http://shibboleth.net/downloads/service-provider/latest/win64/

2) Run installer shibboleth-sp-3.1.0.1-win64.msi

Choose the installation folder, e.g. C:\opt\shibboleth-sp

Check : configure IIS7 module

Manually update IIS:

ISAPI Filters:
     Name: Shibboleth
     Executable:C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll
Handler Mapping:
      Request path: *.sso
      Executable: C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll
      Name : AboMapperCustom-205531
      Access : script
ISAPI and CGI Restrictions :
      ISAPI or CGI path: C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll
      Description: Shibboleth Web Service Extension
      Allow extension path

3) Update Configuration Files 

attribute-map.xml
attribute-policy.xml
shibboleth2.xml

4) Provide the following information for Google SAML IdP setup. The URLs will be similar to

 ACS URL: https://ENSEMBLE_SERVER/Shibboleth.sso/SAML2/POST
 Entity ID : https://ENSEMBLE_SERVER/shibboleth

B. Optionally Install and Configure Embedded Discovery Service

1) Download Embedded Discovery Service from

https://shibboleth.net/downloads/embedded-discovery-service/latest/

2) Unzip the downloaded file shibboleth-embedded-ds-1.2.2.zip  in C:\opt\shibboleth-eds

In IIS create application

Sites > EnsembleVideo > shibboleth-eds
Application Pool: EnsembleVideo
Physical Path: C:\opt\shibboleth-eds
Virtual Path /shibboleth-eds

3) Update Configuration Files

idpselect.css
index.html
idpselect_config.js

4) Modify SP shibboleth2.xml

<SSO discoveryProtocol="SAMLDS" discoveryURL="https://ENSEMBLE_SERVER/shibboleth-eds">
          SAML2 SAML1
</SSO>

5) Restart IIS and Shibboleth services

 

C. Setup Google SAML IdP

Review Google Support page: https://support.google.com/a/answer/6087519?hl=en

1) On https://admin.google.com page click on Apps, then SAML App, and then Add+ button

2) On Enable SSO for SAML Application click SET UP MY OWN CUSTOM APP

3) The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate. Click NEXT

SSO URL: https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX
Entity ID: https://accounts.google.com/o/saml2?idpid=XXXXXXXXX

4) In the Basic information for your Custom App window, add an application name (e.g. Ensemble G SSO) and description, Click NEXT

5) In the Service Provider Details window, enter an ACS URL and  Entity ID, obtained from the Service Provider setup. Click NEXT

ACS URL: https://ENSEMBLE_SERVER/Shibboleth.sso/SAML2/POST
Entity ID : https://ENSEMBLE_SERVER/shibboleth

6) On the Attribute Mapping window, you can define your attributes, click FINISH

7) Download GoogleIdPMetadata

On https://admin.google.com navigate page click on  Apps, then   SAML App
Click on your SAML IdP App ( e.g. Ensemble G SSO)
Click Download metadata. This Metadata needs to be uploaded to the Service Provider

 

D. Define Custom Attributes

Review Google Support page: https://support.google.com/a/answer/6087519?hl=en

Ensemble required 5 attributes: eppn, givenname, sn, mail, affiliation. The values of these attributes need to be defined for every User.


1) On https://admin.google.com page click on Apps, then SAML App 
2) Click on your SAML IdP App ( e.g.Ensemble G SSO)
3) Click Add new mapping and enter a new name for the attribute you want to map

Attributes:

urn:oid:1.3.6.1.4.1.5923.1.1.1.6         Primary Email
urn:oid:2.5.4.42                                First Name
urn:oid:2.5.4.4                                  Last Name
urn:oid:0.9.2342.19200300.100.1.3  Primary Email
urn:oid:1.3.6.1.4.1.5923.1.1.1.1         Department

You may consider setting up other attributes as well, for example

urn:oid:1.3.6.1.4.1.5923.1.1.1.9            Affiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1            UnscopedAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.5            PrimaryAffiliation
urn:oid:1.3.6.1.4.1.99.99.99.99.6          EnsembleUsername
urn:oid:0.9.2342.19200300.100.1.1     EnsembleUiD

4) You may define the custom attributes at

    https://admin.google.com 

    Click Users , then More , then  Manage Custom Attributes , and finally  Add Custom Attributes

5) To turn on or off a service for everyone in your organization, click On for everyone  or Off for everyone, and then click SAVE.

E. Shibboleth Service Provider setup

1) Update Shibboleth2.xml:

<!-- G Suite Video -->
<MetadataProvider type="XML" path="C:\opt\shibboleth-sp\var\run\shibboleth\GoogleIdPMetadata.xml" />

2) Restart Shibboleth service

3) Enable Single Sign On in Ensemble

a) Review https://support.ensemblevideo.com/hc/en-us/articles/115003688063-Identity-Providers
b) Add and configure the Shibboleth Identity Provider
c) Configure Provisioning Rules
d) Enable Single Sign On in Ensemble Settings

 

 

0 out of 0 found this helpful