Setting Up SSO with Google Apps

Owned by Universal Importer for Confluence
Last updated: Oct 08, 2018 by Phillip Hanegan


The EmpowerID SSO framework allows you to integrate Google Apps with EmpowerID, making EmpowerID the identity provider for your organization's Google app account. In this way, users can access their corporate Google accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins or those of another trusted (third-party) identity provider that has been integrated with EmpowerID.


Prerequisites

You must have a Google Apps for Business or Education account with Google.

For specific directions on registering EmpowerID as an application in Google, see the information provided by Google at https://console.developers.google.com.


To create a Google Apps application in EmpowerID

  1. In the Navigation Sidebar of the EmpowerID Web interface, expand Applications and click Manage Applications.
  2. From the Actions pane, click the Create Application action.



    This opens the Application Details form, which contains various tabs and fields for creating the application.



  3. From the General tab of the Application Details form, do the following:
    1. Enter a name, display name and description for the application in the Name, Display Name and Description fields.
    2. In the Icon field, enter ~Images/AppLogos/Google.png to use the Google image provided by EmpowerID. This image represents Google in the Personal Applications page for users who have access.
    3. Set Allow Access Requests to specify whether the application appears in the IT Shop, allowing users to request or claim an account in the application.
    4. Set Allow Claim Account to specify whether users can claim their accounts and gain instant access after passing the requisite identity proofs.
    5. Set SSO Enabled to specify whether the application is an SSO app. Select this.
    6. Set Requires Account For SSO to specify whether users must have an account in the application for SSO. Select this.
    7. Set Allow Request Account and Allow Access Requests to allow users to request an account in the application.
    8. Set Login Is Email Address to specify whether the login for the application is an email address. This setting is needed to pass identity assertion to the application when logging in from EmpowerID.
    9. Set Make me the Application Owner to manage the application and approve or deny access requests.
    10. Set Configure Advanced Claim and Request Account Options and provide advanced configuration information if you have custom pages and workflows configured in EmpowerID that process access requests and manage accounts linked to the application's EmpowerID account directory.
  4. Click the Single Sign-On tab and do the following:
    1. Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.



    2. In the SAML Connection Information section that appears, select Google SSO Connection Settings from the SAML Application Template drop-down. This populates the SAML Connection Information section with the common SSO settings for Google Apps provided by the template.
    3. In the Display Name field of the SAML Connection Information section, type the name for the Google Apps SSO Connection that you want to appear to users in EmpowerID. By default EmpowerID populates the value of this field with the name you gave to the application.
    4. Select the certificate to sign the SAML assertions sent to Google from the Certificate drop-down.
    5. Edit the value of the Assertion Consumer URL field, replacing " yourdomain.com " with the name of your Google Apps domain.



  5. Click the Users tab and do one of the following:

    • If you have not connected EmpowerID to your enterprise Google Apps account - Tick Create a New Account Directory or select Google from the Select existing Account Directory drop-down. If you select Create a New Account Directory, EmpowerID creates a special type of "tracking-only" account store, named after the application, that is internal to EmpowerID. A tracking-only account store account exists as a container within EmpowerID for storing user and group records apart from those located in the actual directory Google maintains for your Google Apps. If you select Google, EmpowerID uses the Google tracking-only account store that is configured out-of-the-box.

      Although you have the option to create a tracking-only account store for Google Apps, the best practice is to connect EmpowerID to Google so you can inventory and synchronize the user data in your Google Apps account with EmpowerID. This lets you create new Google accounts in EmpowerID and have them appear in Google and vice-versa. For more information, see Connecting to Google Apps.

    • If you have connected EmpowerID to your enterprise Google Apps account - Select the account store for your Google Apps from the Select existing Account Directory drop-down. EmpowerID uses this directory to map your Google Apps users with their corresponding EmpowerID Persons. Please note that you must add this account store to EmpowerID before it appears in the drop-down.

  6. Click Add to Cart, click the My Cart link, and in the Cart dialog that appears, enter a reason for creating the application and click Submit.
  7. After EmpowerID creates the application, in the Navigation Sidebar, expand Admin, then Applications and Directories, then SSO Connections, and click SAML.
  8. From the SAML Connections tab of the SAML SSO Connections management page, search for the Google SAML Connection you just created.
  9. From the SAML Connections grid, click the Display Name link.



  10. In the View One page for the application that appears, copy the User Entered URL. This URL will need to be added to Google when you register EmpowerID there.


Now that you have created the application in EmpowerID, the next step is to set up SSO with EmpowerID in Google. For specifics, see Google's instructions at https://console.developers.google.com.


After registering EmpowerID in Google, you can test the SSO connection as outlined below.

To test the Google SSO application

  1. Log in to the EmpowerID Web application as the owner of the Google application you just created.
  2. In the Navigation Sidebar, expand Applications and click Request Access.
  3. In the IT Shop, search for the Google application you just created and click the Request Access link.



  4. Below Account Management, if you have connected EmpowerID to Google and have a Google account that has been inventoried by EmpowerID, click Claim Existing Account, or if you do not have a Google account that has been inventoried by EmpowerID, click Request New Account. In this example, select Claim Existing Account.



  5. In the Register SSO Application Account form that appears, select Google (or whatever you named the SSO application when you created it) from the SSO Application drop-down, type your Google login in the SSO Application Login field, and click Submit.

    In this image, the Navigation Sidebar is collapsed to conserve screen real estate.




    EmpowerID sends a one-time password to the email address associated with your account.

  6. Type the one-time password in the Password field and click Submit.



    Because you are the owner of the application, EmpowerID grants you access to it. If you were not the owner, it would route the access request to the owner for approval.

  7. In the Navigation Sidebar, expandApplications and clickLoginGoogle is listed as one of your personal applications. 
  8. Click the Google image to sign in seamlessly to Google.