Google Workspace SAML Integration

This article describes an integration between AuthControl Sentry and Google Workspace, formerly known as Google Apps and GSuite.

Create SAML Keys on CMI

Keys are used within SAML to create a trust relationship between Sentry (acting as an IDP) and a SAML-compliant service provider. It is important that you create your own keys for this integration and keep the private key secure.

Generating Keys

From the CMI Main Menu select the Appliance Option, then select Sentry Menu option.

You will see the keys that are currently being used by Sentry (if any).

_images/GenerateSAMLKeysRSA.jpg

Select Option 1 to Generate New Keys

Give the key a name eg SentryProductionKey Select the key type, RSA or DSA (RSA is recommended for wider compatibility).

Some integrations require keys of a specific type so refer to the appropriate integration guides.

You then need to enter the information required to generate the key. These parameters are:

  • Country Name e.g. US. This should be the standard 2-letter ISO country code.
  • State or Province e.g. Washington.
  • Locality: e.g. Seattle.
  • Organisation: Your Company or Organisation Name.
  • Organisation Unit: Relevant unit, e.g. Information Technology.
  • Common Name: The full server hostname, e.g. sentry.domain.com.
  • Email Address: contact email address for the certificate.

Once you have entered all the details the new keys and certificate will be created.

You will be asked if you want to start using the new key immediately. If you say NO you can select the key at a later date.

Warning

Changing the key being used will impact any existing SAML-based integrations. The existing service providers will need to be updated with the new keys.

Selecting a Key

Select the Select New Key option will list all the keys that have been created on the appliance. You can select the key you wish to use.

Note

You need to restart tomcat for the changes to take effect.

Setup SSO on Google

To configure SSO setting on your Google Business account you have to access your Admin console at https://admin.google.com/AdminHome

You should see an Admin console with an option “Security” similar to the one below:

_images/1500px-GoogleAdminConsole.png

When you click on the Security you will be shown security options where you have to click on “Set up single sign-on (SSO)”.

_images/1500px-GoogleSSOPage.png

You will have to click on the checkbox “Setup SSO with third party identity provider” and fill in the details for your AuthControl Sentry such as:

Set the Login, Logout and Change password URLs below, where <FQDN_OF_SENTRY_SERVER> is the public DNS entry of your Swivel AuthControl Sentry server, e.g. swivel.mycompany.com or if you do not have a redirect from port 443 to 8443 in place, you may need to include a port number e.g. swivel.mycompany.com:8443

  • “Sign-in page URL” - https://<FQDN_OF_SENTRY_SERVER>/sentry/saml20endpoint
  • “Sign-out page URL” - https://<FQDN_OF_SENTRY_SERVER>/sentry/singlelogout
  • “Change password URL” - http://www.google.com
  • “Verification certificate” - Browse to the RSA PEM file created earlier to upload the certificate. When you click save, if successfully imported you will see a popup message saying “Your settings have been saved.”

After you have entered all the details as above click “Save”

Configure Check Password with Repository on the Swivel Core

In order to check the user’s Active Directory password, ensure that the “local” Agent defined under Server -> Agents has got the Check Password with repository checkbox enabled. When an authentication occurs in AuthControl Sentry, the Active Directory password will then be passed to Active Directory for verification.

_images/Check_password_with_repository.JPG

Hint

If you just want to test Swivel Core authentication without checking Active Directory passwords, you can leave this setting off for the time being. When prompted for a password during login on the AuthControl Sentry Login screen, simply leave the password field blank.

Setup AuthControl Sentry Application definition

Note

You must have setup a Google SSO prior to defining this Application entry within AuthControl Sentry. This is so that you are able to populate the Endpoint URL field.

Login to the AuthControl Sentry Administration Console. Click Applications in the left hand menu. To add a new Application definition for Google, click the Add Provider button.

_images/GoogleApplication.png
  • “Name:” - Google
  • “Image:” - Google.png (selected by default)
  • “Points:” - 100 (the number of points the user needs to score from their Authentication Method in order to successfully authenticate to this Application)
  • “Endpoint URL:” - N/A
  • “Portal URL:” - (this Portal URL is your companies google docs URL which you can usually access on: https://docs.google.com/a/mycompanyname )
  • “Entity ID:” - google.com (at the time of writing this documentation, this settings is always the same when using Google, but may be subject to change by Google.com, so please review the online Google documentation if you find that this Entity ID no longer works)
  • “Federated id:” - email

Setup AuthControl Sentry Authentication definition

As an example here we will be using Turing authentication as the Primary method required for Google authentication.

Login to the AuthControl Sentry Administration Console. Click Authentication Methods in the left hand menu. Click the Edit button against the Turing option in the list of Authentication Methods. Give this Authentication Method 100 points. This will mean that when a login attempt is made to the Google Application, this Authentication Method will be offered during login.

Testing authentication to Google via Swivel AuthControl Sentry

This should be the final step after all previous elements have been configured.

In a web browser, visit the the URL that you setup on AuthControl Sentry as Endpoint URL e.g. https://docs.google.com/a/mycompanyname

Alternatively you can visit your AuthControl Sentry Page with your public DNS entry of your Swivel AuthControl Sentry server, e.g. https://mycompanysentrydomain/sentry/startPage

On the Start Page you will be able to see a new Google Icon on which you can click and proceed with authentication (as you would by going straight to the google page)

_images/1800px-SentryStartup1.png

When you visit this URL you will notice that the domain should redirect to the identity provider login URL that you setup, once you have submitted your username. You should be presented with the page of the Authentication Method which can score enough points to match the points required by the Google Application definition.

In this login example we are using the email as a username

_images/GoogleUsername.jpg

After we enter the username we are prompted with another authentication method (in this example we use turing)

_images/GoogleTuring.jpg

After we enter our authentication credentials we successfully will see the google docs that we tried to access.

_images/1500px-GoogleLoggedIn.png

Troubleshooting

There are various logging components available for this particular integration which can aid in diagnosis at different points during authentication.

  • The Swivel Core has a Log Viewer menu item which can reveal information concerning user status e.g. is the user locked, has a session been started for the image request;
  • The Swivel AuthControl Sentry has a View Log menu item which provides details about the SAML assertion and response received from Google and can be useful for comparison with the Google SAML Assertion Validator output;

It is crucial when troubleshooting, to pinpoint where the authentication is failing. For example, you may find that the Swivel Core logs show a successful authentication (which would indicate that the user has entered their Password and OTC correctly), but the AuthControl Sentry logging shows that there is a problem with the SAML assertion.

Two common issues which can be diagnosed with the validator are:

  • Certificate or decryption issues;
    • Can AuthControl Sentry find the Certificate locally, is it the correct one?
    • Has the correct Certificate been uploaded to Google.com?
    • Does the Repository -> Attribute name being used actually map to a Repository attribute? Has a User Sync occurred in the Swivel Core since modifying this?