Google G Suite - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Aug 6, 2020
Version 1Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with Google G Suite (formerly Google Apps) using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to GoogleG Suite.

Procedure

1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for G Suite and click +Add to add the connector.

2. On the Basic Information page, enter a name for the application in the Name field, and click Next Step.

3. In the Initiate SAML Workflow section, in the Connection URL field, replace %DOMAIN% with the domain name of your G Suite connected domain. The connection URL will be in the form of https://mail.google.com/a/%DOMAIN%.

4. In the SAML Identity Provider (Issuer) section, perform following steps:

  1. Note the Identiity Provider URL. This URL will be required in Step 4 of G Suite configuration.
  2. Issuer Entity ID: Click Override radio button and enter https://www.opensaml.org/IDP in the text field below the Override button.
  3. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
  4. Select the first Choose File and upload the RSA SecurID Access private key.
  5. Select the second Choose File and upload the RSA SecurID Access public certificate. This certificate is also required in Step 4 of G Suite configuration.

5. In the Service Provider section, do the following:

  1. In the Assertion Consumer Service (ACS) URL field, replace %DOMAIN% with the domain name of your G Suite connected domain.
  2. In the Audience (Service Provider Entity ID) field, replace %DOMAIN% with the domain name of your G Suite connected domain.

Both the above URLs will be in the form of https://www.google.com/a/%DOMAIN%/acs.

6. In the User Identity section, select Email Address from the Identifier Type drop-down list, select the name of your user identity source and select the property value as mail. Then click Next Step.

7. On the User Access page, select the access policy the identity router will use to determine which users can access the G Suite service provider. Click Next Step.

8. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

9. Click Publish Changes in the top left corner of the page, and wait for the operation to complete.

 

Configure Google G Suite

Perform these steps to integrate Google G Suite with RSA SecurID Access as a SAML SSO Agent.

Procedure

Note:  The Domain connected to your G Suite account needs to be verified prior to using third party SAML IdP. If the domain is not verified, follow https://support.google.com/a/answer/60216?hl=en&ref_topic=29190 to get your domain verified before proceeding.

1. Log in to the G Suite administrator console at https://admin.google.com.

2. Click on Security.

3. Click Set up single sign-on (SSO) with a third party IdP.

4. In the Third-party identity provider page, do the following:

  1. Enable the check-box beside Set up SSO with third-party identity provider
  2. Sign-in page URL: Enter the URL obtained from Step 4(a) of RSA Cloud Authentication Service configuration.
  3. Sign-out page URL: Enter https://google.com.
  4. Verification certificate: Upload the public certificate used in Step 4(e) of RSA Cloud Authentication Service configuration.
  5. Click Save.

 

Configuration is complete.

Return to the main page for more certification related information.

 
You are here
Google G Suite - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Attachments

    Outcomes