Google-SAML Integration Guide

Operational Scenarios

Google Workspace's SAML-based Single Sign-On (SSO) provides a secure authentication method, allowing users to access multiple services through a single Identity Provider (IdP).

Prerequisites

1. A Google Workspace account with administrative privileges.
2. Ensure that your domain has been verified within Google Workspace.

Operation Steps

Configure SAML Application

1. Log in to Google Admin Console

2. Access security settings; navigate to Apps > Web & Mobile Apps

3. Add App > Add Custom SAML App

   

4. Fill in the application parameters and click continue

   

5. Review the IdP parameters and click continue

   

6. Fill in the parameters ACS URL, Entity ID. Here, enter the service address with a fixed suffix {HAP}/orgsso/assert, {HAP}/orgsso/metadata.xml. These addresses will be configured to take effect later. Click continue.

   

7. Fill in attribute mapping, set the user information attributes to be returned, such as name, email, etc., and click complete.

   

8. Configuration complete

   

9. Set user access permissions

   

10. Download metadata, which will be used later to configure the identity authentication source (IdP) for the HAP service.

    

HAP Integration with SAML Application Single Sign-On

tip

For detailed steps, refer to the private deployment documentation How to Integrate Single Sign-On - SAML2.

1. Configure sso.json, content as follows

   {
       "mode": "common-saml2",
       "name": "saml2",
       "saml2": {
           "entityId": "{HAP}/orgsso/metadata.xml",
           "assertUrl": "{HAP}/orgsso/assert",
           "params": {
               "UserId": "name_id",  // Fill in the user's unique attribute, the default name_id
               "Name": "FirstName", // Fill in the FirstName attribute of the attribute map
               "Email": "PrimaryEmail" // Fill in the PrimaryEmail attribute of the attribute map
           },
           "autoRegister": true,
           "projectId": ""
       }
   }

2. Configure idp.xml, upload the metadata downloaded in the previous steps to the corresponding directory on the server.

3. Modify docker-compose.yaml, mount the configuration files (there are differences in cluster mode), and restart the service.

   - ./volume/sso/sso.json:/usr/local/MDPrivateDeployment/sso/OptionFile/sso.json
   - ./volume/sso/metadata/idp.xml:/usr/local/MDPrivateDeployment/sso/OptionFile/metadata/idp.xml

4. After the restart is complete, visit {HAP}/orgsso/metadata.xml to see the corresponding xml output.

   

User SSO Login

1. Enter the single sign-on entry address {HAP}/orgsso/sso in the browser.

2. Log in to the organizational account.

   

3. Successfully log in to HAP.

   

4. Change user organisational unit, prompt 403.