SSO Google G-Suite Setup
The following instructions set up an identity provider with Google G-Suite.
Introduction
Google G-Suite users can use their managed Google account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO) using SAML 2.0. Tehama can be integrated with G-Suite through SAML 2.0 and presented as a managed application alongside other G-Suite integrated applications.
Once enabled, authentication to Tehama must be made through G-Suite - local authentication through https:/app.tehama.io is no longer possible except by using the Tehama Org Admin account. G-Suite/Tehama Integration is limited to authentication only.
User accounts are required for both G-Suite and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via G-Suite SSO.
Integration Summary
Integration with G-Suite SSO is a four-step process as follows.
- Obtain initial configuration settings from Tehama
- Create an application in G-Suite
- Obtain the required Federation Metadata XML from G-Suite
- Enter it back into Tehama
Prerequisites for G-Suite Integration
- A Tehama Account with Org Admin privileges
- An G-Suite account with Super Admin privileges
Setup Time - 10 minutes
Create a connected application
Login to Tehama using the Org Admin Account and click the ORGANIZATION tab in the navigation bar.
Select the AUTHENTICATION tab.
Check "Enable SAML Single-Sign on".
Open a second browser tab and sign in to your G-Suite Admin Account.
Select Apps from the top level menu.
Select SAML Apps.
Select the Plus Symbol and then select Create New App.
Select Setup My Own Custom App.
Click on the IDP metadata Download link; a new browser tab will open.
Copy the IDP metadata to the clipboard, and click next to continue.
Return to the Tehama Web UI and paste the IDP metadata from the clipboard into the Federation Metadata XML box.
and click SAVE.
Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.
Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.
Return to the G-Suite Admin Console tab to configure the basic application settings.
Provide an appropriate application name, description and logo, and click Next to continue.
You may download and save a copy of this image to use as the logo
Now copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page (this field is visible on the page when "Enable SAML Single-Sign on" is checked) and paste it into the ACS URL field on the G-Suite admin page. Then copy the Entity ID from the same place and paste it into the Entity ID field.
Leave all other fields at their default values.
Click next to display the final configuration page and click Finish.
Configuration is now complete.
You will still need to return to the G-Suite Console to assign User and Group settings as appropriate for your organization before it will be possible to access Tehama using G-Suite integration.