Google Workspace setup¶
This section explains how to integrate ODM with Google Workspace to use Google as SAML service provider.
Create Google SAML app¶
-
In the GSuite Admin Cosole, go to Apps -> Web and mobile apps
-
Click Add app -> Add custom SAML app
-
App details
- App name: Specify a name for your app
-
Google Identity Provider details
-
Copy SSO URL and Entity ID
-
Download the certificate, it will be useful for setting up ODM
-
-
Service provider details
-
ACS URL:
https://ODM-HOST/frontend/endpoint/AssertionConsumer
-
Entity ID:
https://ODM-HOST/frontend/endpoint/SamlSpMetadata
-
Start URL:
https://ODM-HOST/
-
Signed Response:
off
(see below) -
Name ID
-
Name ID format:
EMAIL
-
Name ID:
Basic Information / Primary Email
-
-
-
Attribute mapping
-
Attributes: Click Add Mapping to define the following attributes
-
Basic Information / Primary Email
->urn:mace:dir:attribute-def:mail
-
Basic Information / First Name
->urn:mace:dir:attribute-def:givenName
-
Basic Information / Last Name
->urn:mace:dir:attribute-def:sn
-
-
-
Click Finish
-
You’ll be redirected to “Application settings" page.
- Click User access and then change Service status to ON for everyone. SAVE the change.
-
Warning
As of Mar 4, 2020 Signed Response checkbox behaves weirdly:
-
when it is
off
, response itself is unsigned, but assertions are signed -
when the checkbox is
on
, response becomes signed, but assertions for some reason are unsigned
We do not support the latter combination, hence in Google Suite SAML Signed Response option should be turned off.
Certificate preparation¶
You need to create the necessary certificates for ODM.
-
In step 2b, you downloaded the certificate.
-
Convert it to
idp.key
. -
Convert
idp.key
to base64 format
-
-
Create new certificates
-
Generate
sp_x509_pem.crt
ODM-HOST
is the server name without http/https, for example,odm.example.com
.
-
Generate
sp_pkcs8_der.key
-
Convert
sp_x509_pem.crt
to base64 format -
Convert
sp_pkcs8_der.key
to base64 format -
Update the Helm chart with the provided information.
-
Now you can configure ODM to use Google as SAML service provider. You can find configuration examples in the Helm chart.