LogoLogo
2.7.13
2.7.13
  • Getting Started
    • What is Cymmetri?
    • Starting your Cymmetri Trial
    • Admin Dashboard
    • Accessing Cymmetri
    • Supported Web Browsers
    • Cymmetri Error Codes
    • Help
    • Personalization
      • General Configuration
      • Admins
      • Masters in Cymmetri
      • Personalize Notification Templates
      • Tenant Branding
      • Custom Attributes
  • Identity Hub
    • Managing Users and Groups
      • Create Users
      • Create Groups
      • Importing Users
      • Assigning Users to Groups
      • Delegation
        • Setting up Delegation
        • Delegating Work to Delegatee
        • Accepting Delegation
    • Authentication
      • Identity Provider
        • Internal IDP
          • Introduction
          • Internal Identity Provider Configuration: Cymmetri
          • Internal Identity Provider Configuration: Active Directory
          • Internal Identity Provider Configuration: LDAP
        • External IDP
          • Introduction
          • External Identity Provider Configuration - Google IDP
          • External Identity Provider Configuration - Azure IDP
          • External Identity Provider Configuration - Salesforce IDP
      • Service Provider
      • Authentication Rules
      • Password Policy
      • Global Auth Policy
    • Attribute Setting
    • Password Filter
    • Logs
      • Audit Logs
      • Import History
      • Scheduler History
  • LIfecycle Management
    • Application Management
      • Support for Application Management
      • Getting Started
        • Introduction to Application Management
        • Adding Applications to be managed by Cymmetri
        • Assigning Applications to End Users
        • Dynamic Forms
        • Configuring Connector Server
      • Provisioning How to
        • Azure Provisioning
        • Active Directory (AD) Provisioning
        • Google Apps (Workspace) Provisioning
        • LDAP Provisioning
        • Powershell Provisioning
        • REST Connector Provisioning
        • SCIM v2.0 Provisioning with Basic Authentication
        • SCIM 2.0 with Bearer Authentication
        • SCIM 2.0 with Fixed Bearer
        • Github Provisioning
      • Reconciliation How to
        • Configuring Reconciliation Process
      • Rules
        • Provisioning
        • Deprovisioning
    • Workflow Management
      • Workflow Configuration
      • Custom Workflow Configuration
      • Workflow Rules
      • Pending Workflows
      • Workflows List
    • Configuring Webhooks
  • Single Sign On
    • Introduction
    • SSO Configuration
      • SAML 2.0 Based SSO
      • API Based SSO
      • OpenID Connect Based SSO
    • Multifactor Authentication(MFA)
      • Introduction
      • Cymmetri Authenticator
      • Push Authenticator
      • Google Authenticator
      • SMS Authenticator
      • Secret Questions
      • Admin MFA Setting
    • Passwordless
      • Introduction
      • TOTP Based
      • OTP Based
      • Consent Based
  • My Workspace
    • Getting Started
      • Introduction
      • First Time User Registration
      • End User Login Process
      • Forgot Password & Unlock Account
      • User Settings
    • How to use the My Workspace
      • Dashboard
      • My Access
      • Inbox
      • Team
      • On Behalf
  • Privileged Access Management
    • PAM Administration
      • Introduction to Privilege Access Management (PAM)
      • How to Access PAM in Cymmetri
      • Sub-Sections of PAM
      • Steps to configure PAM Server
      • Adding a device/ server in PAM
      • Vault User
      • Vaulting Configuration
      • Break Glass Configuration
      • PAM Reports and PAM History
      • Dormancy Disable Config
    • PAM Usage
      • Assign a server to a user
      • Access the server
  • Identity Governance
    • Insights
      • Reports
    • Access Certification
      • Setting up and managing Access Reviews
Powered by GitBook

Cymmetri.com

On this page
  • Google Configuration:
  • Download IDP Certificate
  • Cymmetri Configuration

Was this helpful?

Export as PDF
  1. Identity Hub
  2. Authentication
  3. Identity Provider
  4. External IDP

External Identity Provider Configuration - Google IDP

Last updated 1 year ago

Was this helpful?

Google Configuration:

  1. Log in to your Google admin account and go to the Admin Section as shown below:

Once in the admin section click on Apps > Overview

In the overview page click on Web and mobile apps tile to add a new custom app

On the Web and mobile apps page click on the Add app dropdown and then select Add custom SAML app to add the Cymmetri tenant as a custom app

Provide a relevant App Name, Optionally a description for the application can be provided. An App Icon can also be attached if required. Once entered click on Continue button

Once the IDP metadata and certificate is obtained the Service Provider(i.e. Cymmetri) details need to be provided. We need to provide the ACS URL and the Entity ID these details can be obtained from Cymmetri as shown here. No change need to be done for Name ID format and Name ID it can be kept to UNSPECIFIED and Basic Information > Primary email. Once done click on Continue

Attributes can be added on this creen which could then be sent as a SAML response to Cymmetri. These values can be used to create a user in Cymmetri if JIT provisioning is enabled on Cymmetri's side

Group membership information can also be sent by cinfiguring groups here and if the user belonged to the configured group. Once attributes and groups are configured click on FINISH.

Once you click on the FINISH button the below screen appears that shows the configuration details. It also shows various shortcuts to Test SAML Login, Download Metadata, Edit Details and Delete App

Download IDP Certificate

If the administrator does not download the certificate while configuring the custom application, it can be later downloaded. For the same the administrator needs to go to Security>Authentication>SSO with SAML applications. This will open the Security Settings page from where either the IDP details like SSO URL and Entity ID can be copied and IDP Certificate can be downloaded. These details can be used to configure the IDP in Cymmetri.

Cymmetri Configuration

Once Google IDP is configured, the administrator must proceed with the configuration on the Cymmetri side. To achieve this, the administrator needs to set up Cymmetri as a Service Provider and also incorporate Google as an external IDP.

Once the Service Provider is configured next we need to configure Google as an external IDP.

Administrator needs to go to Authentication->Identity Provider->External IDP. Here you may either configure the already created google-idp instance or +Add New

In either cases a screen opens where you need to provide the below mentioned details

  • Name: Google IdP

  • IDP Type: Google

  • Entity ID: https://accounts.google.com/o/saml2?idpid=xxxxxxxxxxxx

  • SSO Service URL: https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxxxxx

  • Destination: https://<hostname>/spsamlsrvc/samlSP/SingleSignOn

  • Protocol Binding: HTTP Post (can also be set to HTTP Redirect if it is set so in Google IDP)

  • Name ID Policy:

    • Policy: Email (This may change based on what is configured in Google IDP)

    • Value: Email (This may change based on what is configured in Google IDP)

  • Certificate: Certificate downloaded from Google IDP

  • Logout Request URL: Need to mention the SingleLogoutService url from the metadata file if SLO (Single Logout) is configured in Google.

  • Logout Protocol Binding:HTTP Post (can also be set to HTTP Redirect if it is set so in Google IDP)

  • Service Provider Id: cymmetri (Need to the select the configured Service Provider as shown above)

Once all the details are entered Save the changes.

Once the rule is configured whenever a user matches with the rule conditions the user is redirected to Google screen and the user needs to provide his/her Google credentials to be able to login into Cymmetri.

On the Google Identity Provider Detail page download the metadata file by clicking on the DOWNLOAD METADATA button. This metadata file needs to be used to get Entity ID, SSO URL and Certificate. Administrator can download the certificate here or later as shown . Once downloaded click on Continue.

The page shows how to configure a Service Provider.

For enabling Google IDP to be used as an IDP for specific set of users an Authentication Rule needs to be configured. you can see the steps on how to configure Authentication Rules.

here
Here
here