Accounts hosted in Google Workspace (formerly known as G Suite, formerly known as Google Apps) can be used to authenticate to Service Providers (SPs) that are a member of SURFconext. This means that Google Workspace can be configured to play the role of a SAML 2.0 Identity Provider (IdP).
This page describes how to configure your Google domain for use as a SAML IdP in SURFconext, and what the possibilities and restrictions are.
It is assumed you already have a Google Workspace domain configured.If not you can find the basics about Google Workspace here : https://support.google.com/a/answer/3035792?hl=en&ref_topic=29157
Here, we will use example.edu as an example.
Logon to your Admin console at https://admin.google.com/example.edu/Dashboard.
Add a custom attribute category for SURFconext
- Select Users.
- Select Manage user attributes.
- Klick "ADD CUSTOM CATEGORY".
- Enter "SURFconext" as the Custom category name and optionally a Description.
- For the following attributes, proceed as follows:
- For each of the attributes listed below: enter its Attribute name, leave Type to the default (Text), set Multiple values accordingly, and set Private to No.
See also https://support.google.com/a/answer/6208725
Add users
- Back in the Users Control, click Add user.
- Enter First name, Last name, Primary email address.
- Click ADDITIONAL INFO.
- Optionally, enter Contact Information, and click NEXT.
- Optionally, enter Employee details, and click NEXT.
- Enter SURFconext attribute values, and click CREATE.
Add SURFconext as a SAML Service Provicer
- Click MORE CONTROLS.
- Select the Apps control.
- Select SAML apps.
- Click Enable SSO for a SAML Application.
- Click SETUP MY OWN CUSTOM APP.
- Download your IDP metadata (option 2). You will need to send this file to SURFconext support.
- Enter
SURFconextas Application Name, and optionally a Description. - Upload the logo of your organisation.
- For ACS URL, enter
https://engine.surfconext.nl/authentication/sp/consume-assertion For Entity ID, enter
https://engine.surfconext.nl/authentication/sp/metadata- For Name ID Format, select PERSISTENT.
- For Attribute Mapping, add entries according to the table below:
| SURFconext attribute name | attribute source |
|---|---|
| urn:mace:dir:attribute-def:givenName | First Name from Basic Information |
| urn:mace:dir:attribute-def:sn | Last Name from Basic Information |
| urn:mace:dir:attribute-def:mail | Primary Email from Basic Information |
| urn:mace:dir:attribute-def:eduPersonPrincipalName | idem from SURFconext category |
| urn:mace:terena.org:attribute-def:schacHomeOrganization | idem from SURFconext category |
| urn:mace:dir:attribute-def:uid | idem from SURFconext category |
Send your SAML 2.0 Metadata to the SURFconext operations team
- Contact SURFconext support at support@surfconext.nl and provide them with the metadata document so they can add this metadata as an IdP in a test environment.
Test the attributes as received by SURFconext
You can test this IdP as follows when you have connected your Google IdP to our Production Environment:
- Log in to SURFconext's debug page (https://engine.surfconext.nl/authentication/sp/debug) and check that all attributes are released correctly (each attribute has a green tick or a red cross behind it).
- Log in to the SURFconext profile page (https://profile.surfconext.nl) and check that the attribute values are correct.
You can test this IdP as follows when you have connected your Google IdP to our Test Environment:
- Log in to SURFconext's debug page (https://engine.test.surfconext.nl/authentication/sp/debug) and check that all attributes are released correctly (each attribute has a green tick or a red cross behind it).
- Log in to the SURFconext profile page (https://profile.test.surfconext.nl) and check that the attribute values are correct.
Troubleshooting
Known Issues
n/a