Setting up SAML Authentication with Google Apps

Setting up SAML Authentication with Google Apps

Network users can easily enroll for X.509 certificates with SecureW2 using their Google Apps credentials. This is accomplished by creating a SAML application in the Google Admin Console, sharing metadata between SecureW2 and Google, and mapping the attributes sent between the two. An added benefit of the SAML authentication is that it enables a Single-Sign-On (SSO) Policy. The SSO policy can help prevent phishing attacks and is generally more convenient for end users. Additionally, network settings can be automatically applied to different user groups based on their Google Apps attributes. A SAML application will streamline several aspects of your network and significantly improve your ability to manage it.

 

Creating an Identity Provider in SecureW2

  1. In the Identity Management Section, click on the Identity Provider
  2. Click Add Identity Provider and fill the Name and Description sections
  3. In the Type section, enter SAML and click Save

 

Creating a SAML Application in Google

  1. Login to Google Admin Console
  2. Click Apps and select SAML Apps
  3. A yellow circle will appear in the bottom right corner (when you hover over it, you will read Enable SSO for a SAML Application), click on it
  4. Click Set Up My Own Custom App
  5. Download the IDP metadata

Downloading metadata from Google Apps

Now we will add the metadata from Google Apps

  1. Navigate to the Identity Provider SecureW2 page, and click on the Configuration tab
  2. Under Identity Provider (IDP) Info, click Choose File
  3. Choose the downloaded metadata file, and then click Upload and then Update
  4. Navigate to the Google SAML App Setup
  5. Enter the basic information for your app in step 3 (Application Name, Description) and then click Next
  6. Step 4 requires an ACS URL and EntityId from the SecureW2 Management Portal
  7. Navigate back to the SW2 Management Portal and copy the ACS URL and EntityId from the Identity Provider section, and paste it into the Service Provider Details of the Google SAML App Setup
  8. Check the box for Signed Response in the Google Admin page, click Next and Finish

Connecting the Identity Provider with Google Apps

Configure Attribute Mapping

By using Attribute Mapping, you are able to organize network users into different groups and adjust particular settings based on the type of user. For example, you could set different settings for students and teachers in a school, such as how many devices they can use to access the network and how long the certificate on their device will remain valid.

  1. In the Google Admin Page, scroll down to Attribute Mapping
  2. Click on Add New Mapping to configure the attributes you will encode into the certificate
    • In your directory, you’ll likely have a name and an email
  3. In the Enter the Application Attribute section, enter name
  4. In the Select Category section, choose Basic Information
  5. In the Select User Field section, choose First Name and click Save
  6. Click Add New Mapping again
  7. In the Enter the Application Attribute section, enter email
  8. In the Select Category section, choose Basic Information
  9. In the Select User Field section, choose Primary Email and click Save

Adding new fields to the attribute mapping.

While you can have any attribute inserted into the certificate, we officially recommend using the attributes emaildisplayName, and upn. These attributes will give you all you need to tie users and devices to their network connection and use group-based policies to configure network settings. Here is how to get these attributes setup:

  1. Navigate to the SecureW2 Management Portal, and go to the Attribute Mapping tab and click Add
  2. In the Local Attribute field, type email
  3. In the Remote Attribute field, select USER_DEFINED and type email into the dialog box that appears and click Next and then click Add
  4. In the Local Attribute field, type displayName
  5. In the Remote Attribute field, select USER_DEFINED and type name into the dialog box that appears and click Next and then click Add
  6. In the Local Attribute field, type upn
  7. In the Remote Attribute field, select USER_DEFINED and type email into the dialog box that appears and click Next and then click Update

The attributes are now connected and you can view them in the certificate.

Viewing attributes in the certificates

 

Policy Configuration in SecureW2

Policies can be used effectively to apply unique network settings to different user groups. In this setup guide, we will be configuring the policies to use Google Apps as our identity provider and link to a Network Profile.

  1. Go to Getting Started, enter your SSID name in the SSID field and ensure that EAP Method is set to EAP-TLS and click Create
    • This configuration will take approximately 60-90 seconds
  2. Under Policy Management, click Authentication
  3. Click Edit next to your network
    • Under Conditions, be sure your network is selected
    • In Settings, be sure to select the identity provider you created earlier in this process
  4. Click Update and under Policy Management, click User Roles
  5. Click Edit on the Default Role Policy that was created
  6. Under Conditions, select the Identity Provider that was created in the Identity Provider Dropdown, then click Update

Concluding Thoughts

The connection of the SecureW2 network and a Google Apps SAML application create solutions for network administrators by achieving the goal of easily connecting users to the network and offering a higher level of control. Users have to complete the onboarding process once for uninterrupted connection, whereas in the past it would be a manual effort that would divert countless resources. Administrators can also differentiate between groups and ensure that everyone in the organization has access to the connections they need. If you’re interested in learning more about the advantages your IT department can experience, contact us and we’d be happy to set up a free trial to demonstrate our value.