Kuidas saame aidata?
Google SAML seadistamine
Funktsioonid
Google/Folderit SAML integratsioon toetab hetkel järgmiseid funktsioone:
- SP-initiated SSO
- IdP-initiated SSO
Nõuded
- Puuduvad
Seadistamise sammud
Järgnev juhend on esitatud inglise keeles.
Folderit: Create initial SAML configuration
- Go to Manage accounts.
- Open the settings menu (cog wheel) of an account and click Identity providers.
- Click Set up custom SAML connector.
- Click Save.
Google: Create custom SAML app
- Sign in to your Google Admin console.
- In the Admin console, go to Menu > Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
Enter the app name and, optionally, upload an icon for your app. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don’t upload an icon, an icon is created using the first two letters of the app name. - Click Continue.
- On the Google Identity Provider details page, download the IDP metadata file.
- click Continue.
- In the Service Provider Details window, enter:
- ACS URL — SP SSO URL value.
- Entity ID — SP Entity ID value.
- Name ID format — EMAIL
- Name ID format — Primary email
- Click Continue.
- Click Add mapping
- Basic Information -> First name — firstName
- Basic Information -> Last name — lastName
- Click Finish.
Folderit: Update SAML configuration
- Click SAML in the toolbar.
- Click Metadata file.
- Select the previously downloaded IDP metadata file.
- Click Save.
Google: Turn on your SAML app
- Click User access.
- To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
- (Optional) To turn a service on or off for an organizational unit:
- At the left, select the organizational unit.
- To change the Service status, select On or Off.
- Choose one:
- If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
- If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
Note: Learn more about organizational structure.
- To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
- Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.
Verify that SSO is working with your custom app
You can test for both identity provider (IdP) initiated SSO and service provider (SP) initiated SSO.
IdP-initiated
- Sign in to your Google Admin console.
- In the Admin console, go to Menu > Apps > Web and mobile apps.
- Select your custom SAML app.
- At the top left, click Test SAML login.
Your app should open in a separate tab. If it doesn’t, use the information in the resulting SAML app error messages to update your IdP and SP settings as needed, then re-test SAML login.
SP-initiated
- Open the SSO URL for your new SAML app. You should be automatically redirected to the Google sign-in page.
- Enter your username and password.
After your sign-in credentials are authenticated, you’re redirected back to your new SAML app.