Integrate Google G suite as a SAML Identity Provider

book

Article ID: 171556

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

If you want to use Security Assertion Markup Language (SAML) authentication, but do not have your own Active Directory (AD) deployed, you can provision Google G Suite as your company's SAML Identity Provider (IdP).

Resolution

STEP 1 - Google G Suite SAML Configuration

  1. Log in to the G Suite administration console at https://admin.google.com.
  2. Click the SAML box, then click the plus icon in the bottom-right of the page. The Enable SSO for SAML Application appears.
  3. Scroll down the list of SAML Applications and locate Symantec WSS.
  4. Click the arrow on the right of the SymantecWSS line.
  5. Click Download under Option 2 to save the Google Identity Provider (IdP) file. This file will be used later in the WSS portal to complete the association between Google and WSS.
  6. Click Next.
  7. Confirm basic information for your new SAML application.
  8. Confirm that the page displays the same information as the above image, and click Next.
  9. Define the Symantec Web Security Service details:
  10. ACS URL: threatpulse.net:8443/samlsaml_realm/bcsamlpost
  11. Entity ID: https://saml.threatpulse.net:8443/saml/saml_realm
  12. You may leave other fields in their default state. Click Next.
  13. Define the user and group identifiers for authentication. The group definitions that may currently exist in your WSS configuration cannot be imported to the G Suite authentication service. This page allows you to map group attributes to the Department group.
  14. Click Add New Mapping to use the Department field as the user group. The groups defined here as Departments can be used in WSS group policy.
  15. Click Finish.


After you complete the G Suite application setup wizard, G Suite displays a settings page.


Click the three dot menu in the top right and select ON for everyone to enable SAML authentication for all users.

STEP 2 - Federate G Suite With the Web Security Service Portal

  1. Log in to the WSS portal at https://portal.threatpulse.com and go to Service > Authentication > SAML.
  2. Click Import Metadata and browse your system for the IdP file you saved earlier.
  3. Click Import Metadata and locate the xml file you saved from the Google SAML configuration that begins with GoogleIDPMetadata.
  4. Entity ID and Endpoint URL fields auto-populate based on the contents of the IDP file.
  5. Set the endpoint type as Post Endpoint.
  6. Type Department in the Group Attribute field.
  7. Click Save.                            
  8. Browse to Service > Authentication > Authentication Policy in the portal.
  9. Create rule(s) to associate your new SAML realm with users who browse through Web Security Service.
  10. Click Add Rule.
  11. Choose the access method your users use. If your users access WSS from both methods, repeat this process to create a rule for each access method.
  12. Select the locations supported by your access method to enforce SAML authentication policy against.
  13. Select the locations you want to apply SAML authentication policy to.
  14. Click Add.
  15. Click Next.
  16. Enable Captive Portal for the selected location.
  17. Click the switch to Enable Captive Portal.
  18. Select SAML as the Authentication method.
  19. Change the lifespan of the authentication cookie by setting the Auth refresh frequency.(Optional)
  20. Click Finish.
  21. Enable your new authentication rule.
  22. Check the box next to the new rule.
  23. Click Activate to enable the new rule.