X

Tips and HowTos for Single Sign-On & Federation Oracle Identity Management Integrations

  • October 30, 2015

Integrating Google IdP with OIF SP

Google Apps recently introduced a new SAML 2.0 feature, where Google can now act as an Identity Provider with remote SAML 2.0 Service Providers.

This allows using Google as:

  • The authentication authority for end users
  • The server that will provide true SSO capabilities as the user authentication state is propagated from the Google IdP to remote domains

In this article, I will describe step by step how to integrate Google IdP with OIF as an SP via the SAML 2.0 SSO protocol.

Enjoy the reading!

User Mapping


Users in Google Apps are uniquely identified by their email addresses which was set when those users were created.

During a SAML 2.0 SSO flow, the Google IdP will provide the user's email address to the remote SP:

  • In the SAML 2.0 NameID field
  • With the NameID value set to the user's primary email address

In the next steps, I will show how to determine the user's primary email address in Google Apps.

To view a user account in Google Apps, perform the following steps:

  • Launch a browser
  • Go to http://www.google.com/a
  • Click Sign In

Perform the following steps:

  • In the domain field, enter the name of your domain (in this example, www.acme.com)
  • Select Admin Console
  • Click Go

Perform the following steps:

  • In the Dashboard, click on Users

Perform the following steps:

  • Select a user to view


The next screen will show details about the user. The email address is displayed underneath the user's identity. In this example, the Google IdP will send alice@acme.com to the remote SP during the SAML 2.0 SSO operation:


Google IdP Configuration


Collecting OIF Information

The following information will need to be provided into the Google IdP SSO Admin console:

  • SAML 2.0 SSO SP endpoint
  • ProviderID

In this earlier article, I listed the endpoints published by OIF. The SAML 2.0 SSO IdP endpoint and the SAML 2.0 logout endpoint would be http(s)://oam-public-hostname:oam-public-port/oamfed/idp/samlv20, with oam-public-hostname and oam-public-port being the values of the public endpoint, where the user will access the OAM/OIF application (load balancer, HTTP reverse proxy...).

If you are unsure about the oam-public-hostname and oam-public-port, you can:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Configuration -> Settings -> Access Manager
  • The oam-public-hostname is the OAM Server Host, the oam-public-port is the OAM Server Port and the protocol (http or https) is listed in OAM Server Protocol.

In the same article, I also explained how to determine the ProviderID used by OIF:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Configuration -> Settings -> Federation
  • Write down the ProviderID

Configuring the Google IdP

To configure Google as an IdP, perform the following steps:

  • Launch a browser
  • Go to https://www.google.com/enterprise/apps/business/
  • Authenticate and go to the Admin Dashboard
  • Click on Apps

Perform the following steps:

  • Click on SAML Apps

Perform the following steps:

  • Click on Add a service/App to your domain

Perform the following steps:

  • Click on SETUP MY CUSTOM APP

Perform the following steps:

  • In the section Option 2, click the Download button to download the Google IdP SAML 2.0 Metadata file on your local machine
  • Once done click Next

Perform the following steps:

  • Enter an Application Name
  • Optionally upload a logo
  • Once done click Next

Perform the following steps:

  • Enter the ACS (Assertion Consumer Service URL)
    • http(s)://oam-public-hostname:oam-public-port/oam/server/fed/sp/sso
    • Based on the OIF information collected earlier replace http(s) by the OAM public endpoint protocol and the oam-public-hostname and oam-public-port by their values
  • Enter the ProviderID collected earlier in the Entity ID field
  • Leave Primary Email as the NameID, as we will use the email contained in the NameID to map the user in OAM/SP
  • Optionally enter a Start URL for Google IdP Initiated SSO operations, where the user will click on the SAML Application partner at Google to be redirected to the Application at OAM: this would be the protected application URL, or unsolicited Relay State.
  • Click Next

Perform the following steps:
  • In this section, you can add attributes that will be sent by the Google IdP. To add an attribute:
    • Click ADD NEW MAPPING
    • Enter the name as it will appear in the SAML Assertion in the first field
    • Select the category of the User attribute from the Google LDAP you wish to send
    • Select the attribute you wish to send
  • Once done click FINISH

If the setup was successful, a success message will be displayed:

To enable the SP Application, you will need to turn it on:

  • Click on the Menu for the SAML application
  • Click on ON for Everyone

Perform the following steps:

  • Confirm by clicking TURN ON FOR EVERYONE

OIF Setup


To add Google as an IdP partner in OIF, execute the following steps:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Click on Federation
  • Navigate to Federation -> Service Provider Management
  • Click on the “Create Identity Provider Partner” button
  • In the Create screen:
    • Enter a name for the Google IdP
    • Check whether or not this partner should be used as the IdP by default when starting a Federation SSO operation, if no IdP partner is specified. (in this example we will set it as the default IdP)
    • Select SAML 2.0 as the Protocol
    • Click Load Metadata and upload the SAML 2.0 Metadata file for the Google IdP
    • Assertion Mapping section:
      • Optionally set the OAM Identity Store that should be used (note: in the example, I left the field blank to use the default OAM Identity Store)
      • Optionally set the user search base DN (note: in the example, I left the field blank to use the user search base DN configured in the Identity Store)
      • Select how the mapping will occur (note: in the example, I am mapping the Assertion via the NameID to the LDAP mail attribute)
    • Click Save

Test


To test:

  • Either protect a resource with WebGate and a FederationScheme with ADFS IdP being the Default SSO Identity Provider for OIF
  • Or use the OIF Test SP application and select Google as the IdP

To test using the Test SP:

  • Ensure that the Test SP Application has been enabled (see my previous article)
  • Navigate to http(s)://oam-public-hostname:oam-public-port/oamfed/user/testspsso
  • Select the Google IdP
  • Click Start SSO

At the Google IdP, enter the user's email address

Enter the user's password

Once entered, the Google IdP will authenticate you and redirect you to the OAM SAML SP that will show the result of the Federation SSO.


In my next article, I will cover the SP Initiated SSO flows vs IdP Initiated SSO flows.
Cheers,
Damien Carru



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.