Configuring Google G-Suite for SAML Log-in

Single Sign-On (SSO) using SAML 2.0

📘

Looking for Azure SAML setup example?

SAML Authentication

About

Do you use G Suite (Gmail) to manage users? Would you like to utilize single sign-on for your Cisco Secure Email Gateway/Cloud Gateway or Cisco Secure Email and Web Manager?

Configuring G Suite (Gmail) for SAML log-in

  1. Sign in to your Google Admin Console

  2. From the Admin console Home page, go to SAML apps

  3. Click Add App > Add custom SAML app

  4. Enter a name for your custom app (example: CISCO EMAIL SAML)

  5. Click Continue

  6. Use Option 1: Download IdP metadata and save the XML to your local host

  7. Click Continue

  8. For the Service provider details, you will need to create the needed SAML login items on the Cisco Secure Email Gateway:

    a. Log-in to your ESA
    b. Click System Administration > SAML
    c. Click Add Service Provider...
    d. Enter a name for your Profile Name (example: CISCO EMAIL SAML)
    e. Enter an Entity ID (example: CISCO EMAIL SAML)

    :pencil2: The Service Provider Entity ID is used to uniquely identify a service provider. The format of the Service Provider Entity ID is typically a URI.

    f. You may need to edit the Assertion Consumer URL

    :pencil2: The Assertion Consumer URL is the URL that the Identity Provider should send the SAML assertion after successful authentication. The URL that you use to access the web interface of your appliance must be same as Assertion Consumer URL. You will need this value while you configure the service provider settings on the identity provider.

    :pencil2: For Cisco Secure Email Cloud Gateway administrators, this will be https://dhXXXX-esa#.iphmx.com and not https://esa#.hcYYYY-ZZ.iphmx.com

    g. For SP Certificate, select a pre-configured certificate (if available), or select a self-signed certificate. You may also upload a certificate and key, or PKCS #12 (if available).
    h. Enter in your Organization Details and Technical Contact:
    · Name
    · Display Name
    · URL
    · Email

    i. Click Submit
    j. Click Add Identity Provider...
    k. Enter a name for your Profile Name (example: CISCO EMAIL SAML)
    l. Select Import IDP Metadata > Choose File
    m. For the file, select the XML you saved from your Google Admin Console (step #6)
    n. Click Submit
    o. From the upper-right corner of the UI, click Commit Changes and complete the configuration change at this point on the ESA

  9. Return to your Google Admin Console and Service provider details and enter:

  • ACS URL == Assertion Consumer URL (example: https://dhXXXX-esa#.iphmx.com)
  • Entity ID == Profile Name (example: CISCO EMAIL SAML)
  1. Change the Name ID from UNSPECIFIED to EMAIL
  2. Click Continue
  3. For Attributes:
    a. Click ADD MAPPING
    b. From the drop-down, select Department and set the App attribute as "group"
    c. Click Finish

At this time, we have created the needed SAML communication configuration from Google to the Cisco Secure Email Gateway. We will now need to finish the SAML configuration by enabling User access on your SAML app in Google. From your SAML app:

  1. Click User Access
  2. Click On for everyone
  3. Click Save

Now that your SAML app is enabled, you will need to finish the configuration on the ESA side and enable this for ESA admin access. From your ESA:

  1. Click System Administration > Users
  2. In External Authentication, Customer Settings click Enable...
  3. Set the Authentication Type to SAML

:pencil2: You should see the SAML Profile show "SAML profile has been configured System Administration > SAML". If not, be sure that you completed the section above, and you have submitted and committed your configuration changes.

  1. In Group Mapping, you will need to specify the Group name you are using in Google for your users, as tied to the Department. For the purpose of this guide, we are using "TME".
  2. Click Submit
  3. From the upper-right corner of the UI, click Commit Changes and complete the configuration change at this point on the ESA

Testing time!

From your ESA:

  1. Click Options > Log Out
  2. This will take you back to the UI log-in screen
  3. Select the "Use Single Sign On" link now showing in the log-in box
  4. You should be presented with a Google account sign-in screen, select your username for your Google G Suite
  5. At this time, the ESA UI should continue to log in and load

SAML log-in not logging in?

Did you remember to enable user access for the SAML app in Google?

For the SAML attribute mapping - does your user(s) have a group set?

  1. From the Google Admin console Home page, click Users
  2. Select your username
  3. Click User information
  4. Review and assure that Department has a value. This value will need to match the Group Mapping on the ESA for the External Authentication Settings.

Do you have the correct Assertion Consumer URL configured for the ESA?

  1. Review System Administration > SAML > Service Provider Settings