Friday, February 17, 2017

Set up Shibboleth SP as a SAML 2.0 service provider with G Suite

Prerequisite:

  1. Basic understanding of SAML 2.0, SSO and Shibboleth SP.  
  2. SP setup up and working on your instance.
  3. Must having administrator account to register your SP on G suite

G Suite setup:

  • Login to https://admin.google.com using your administrator account.
  • Click Security > Set up single sign-on (SSO)
  • Click the Download button to download the Google IdP metadata and the X.509 Certificate
  • Now click on Apps > SAML apps.
  • Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner. The Enable SSO for SAML Application window opens.
  • Click SET UP MY OWN CUSTOM APP
  • We have already downloaded the certificate and Idp Metadata, click NEXT
  • On the Basic application information window, Enter the Application name and Description values.
  • In the Service Provider Details section, enter the following URLs into the Entity ID, ACS URL, and Start URL Fields:
    1. ACS URLhttps://your-domain-name.com/Shibboleth.sso/SAML2/POST
    2. Entity IDyour-domain-name.com/shibboleth
    3. Start URL: https://your-domain-name.com/app
Note: You can get the ACS URL and entityID by hitting https://your-domain-name/Shibboleth.sso/Metdata. It will download the Shibboleth SP metadata file containing all the URLs like entityID in the first few lines and ACS URL which is nothing but AssertionConsumerService URL having SAML 2.0 HTTP-POST binding.
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your-domain-name.com/Shibboleth.sso/SAML2/POST" index="10"/>
  • Leave Signed Response unchecked. When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
  • The default Name ID is the primary email and select EMAIL as Name ID Format.
  • Click Add NEW MAPPING and then add EMAIL and choose Basic information and Email from 2nd and 3rd drop down list.
  • Click Finish.
  • Now go to again on Apps -> SAML apps and select your APPLICATION.
  •  At the top of the gray box, click More and choose:
    1. On for everyone to turn on the service for all users (click again to confirm).
    2. Off to turn off the service for all users (click again to confirm).
    3. On for some organizations to change the setting only for some users.

Configured G Suite details in your Shibboleth SP

  • Drop the downloaded Google Idp metadata to opt\shibboleth-sp\etc\shibboleth directory.
  • Open Shibboleth2.xml file and add below snippet
    • <MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\<GOOGLE_IDP_FILENAMExml>"/>    
  • Restart Shibboleth.

 Verify that SSO between G Suite and Zendesk is working

  • Close all browser windows.
  • Open https://your-domain-name.com/app and attempt to sign in.
  • You should be automatically redirected to the G Suite sign-in page or if you are having discovery page then it will come under drop down menu
  • Enter your sign-in credentials.
  • After your sign-in credentials are authenticated you're automatically redirected back to your Application.

Happy coding..!!!