Google SAML

The following guide is to help the deployment of an Google SAML configuration as the authentication provider for Pyramid. Google is not that different to generic SAML, but there are some key aspects that are unique.

Note: This feature is available with Enterprise licensing only.

Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.

Google SAML Setup

Configure a SAML Application

Login to the Google Cloud admin page and navigate to Apps> Web and Mobile apps

Add app> Add customer SAML app

App Details

Fill in the form and given the app a name

Click on continue

The next screen gives you all the information needed to move Pyramid to Google SAML, so note them all down and click on “Download Metadata”.

  • SSO URL = IDP URL
  • Entity ID = SAML Issuer
  • Certificate = Certificate

Click on complete.

Service Provider Details

Next provide details on your Pyramid instance

  • ACS URL: Your Pyramid URL with /login/callback on the end
  • Entity ID: pyramid
  • Name ID format: X509_SUBJECT
  • Name ID: Basic Information>Primary email (You can map it to any attribute you want, it just matches the external ID used in Pyramid)

Click on continue

Attribute mapping

No changes are needed here, click on “Finish”

Once your application is completed, click on it and under User access click on the arrow to configure who can login via the application.

You can turn it on for all organization units or just specific ones, depending on your requirements. Then click on SAVE.

Setting the provider up in Pyramid

Open authentication manager in the Pyramid admin console: Pyramid Admin>Security>Authentication, click the Change Provider button.

Take all the setup information from the steps “App details” and “Service Provider details”

  • Provider: SAML Vendor: Google
  • Consumer URL: Your Pyramid URL with /login/callback on the end
  • SAML Issuer: this is the Entity ID.
  • IDP URL: This is the SSO URL from the App details step.
  • Logout URL: Not officially supported by google, but you can use https://accounts.google.com/Logout
  • Certificate: This is Certificate from the App details step.
  • External ID: Any user that you gave access to the application. It must match the value you mapped to the subject.

User Provisioning Setup

The Google SAML provider can be used for auto provisioning in Pyramid. Click here for more details.

Save your changes

Click Apply to start the provider change over process. At this stage, the existing users attached to the previous authentication system need to be converted over.

Admins will be prompted to either:

  • Delete all existing users and delete their content
  • Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.