The following guide is to help the deployment of an Google SAML configuration as the authentication provider for Pyramid. Google is not that different to generic SAML, but there are some key aspects that are unique.
Note: This feature is only available with Enterprise licensing.
Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.
Google SAML Setup
Configure a SAML Application
Login to the Google Cloud admin page and navigate to Apps > Web and Mobile apps
Add app - Add customer SAML app
App Details
Fill in the form and given the app a name
Click Continue
The next screen gives you all the information needed to move Pyramid to Google SAML, so note them all down and click on "Download Metadata."
- SSO URL = IDP URL
- Entity ID = SAML Issuer
- Certificate = Certificate
Click Complete.
Service Provider Details
Next provide details on your Pyramid instance
- ACS URL: Your Pyramid URL with /login/callback on the end
- Entity ID: pyramid
- Name ID format: X509_SUBJECT
- Name ID: Basic Information > Primary email (You can map it to any attribute you want, it just matches the external ID used in Pyramid)
Click Continue
Attribute mapping
No changes are needed here, click Finish.
Once your application is completed, click on it and, under User access, click on the arrow to configure who can login using the application.
You can turn it on for all organization units or just specific ones, depending on your requirements:
Then click SAVE.
Setting the provider up in Pyramid
Open the Change Provider page
- In the Admin Console, click Security > Authentication.
- From the top-right of the page, click Change Provider.
The Authentication Provider page opens with the details of your current Authentication Provider displayed.
The Change Provider page opens. You will copy the details of your new authentication provider into this page, starting by selecting your Provider.
SAML Google Provider Details
Take all the setup information from the steps “App details” and “Service Provider details”
- Provider: SAML
- Vendor: Google
- Consumer URL: Your Pyramid URL with /login/callback on the end
- SAML Issuer: This is the Entity ID.
- IDP URL: This is the SSO URL from the App details step.
- Logout URL: Not officially supported by Google, but you can use https://accounts.google.com/Logout
- Certificate: This is Certificate from the App details step.
- External ID: Any user that you gave access to the application. It must match the value you mapped to the subject.
User Provisioning Setup
The Google SAML provider can be used for auto provisioning in Pyramid. If you want to use auto provisioning, you will need to set up the app and then specify its settings on the Provider Provisioning tab. For more information, see Google User Provisioning.
Save your changes
Click Apply to start the provider change-over process. At this stage, the existing users (attached to the previous authentication system) need to be converted over.
Admins will be prompted to either:
- Delete all existing users and their local content. When users are deleted by this process, all their private data (the discoveries, publications, and so on that are stored in their My Content Folder) is "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed.
- Convert old users to the new provider (through the user conversion wizard), and keep their content
Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.
- Click here for a detailed explanation and walkthrough of User Conversion