- Enter your username and password to log on to the Management Console.
- Navigate to the Main menu and click Add under Service Providers.
- Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field and you can use Google-SP as the name for this example.
- Click Register.
- Expand the Inbound Authentication Configuration and the SAML2 Web SSO Configuration, and click Configure.
In the form that appears, fill out the following configuration details required for single sign-on. For more details about attributes in the following configuration refer SAML2 Web SSO Configuration.
See the following table for details.
Field Value Description Issuer
This is the
<saml:Issuer>element that contains the unique identifier of the service provider.
Assertion Consumer URL
This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. NameID Format The default value can be used here. This defines the name identifier formats supported by the identity provider. The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID), which should be in some format so that It is easy for the other party to identify it based on the format. Name identifiers are used to provide information regarding a user. Certificate Alias wso2carbon Select the Certificate Alias from the drop-down. This is used to validate the signature of SAML2 requests and is used to generate encryption.Basically, the service provider’s certificate must be selected here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing a tenant-specific configuration. Enable Response Signing Selected
Select Enable Response Signing to sign the SAML2 Responses returned after the authentication process.
Enable Attribute Profile Selected Select Enable Attribute Profile to enable this and add a claim by entering the claim link and clicking the Add Claim button. The Identity Server provides support for a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as part of the attribute statement. Include Attributes in the Response Always Selected Once you select the checkbox to Include Attributes in the Response Always , the identity provider always includes the attribute values related to the selected claims in the SAML attribute statement.
Click Register to save your configurations.
- Create a user in WSO2 Identity Server. Make sure that the same user exists in your Google domain.
Example: In this example,
firstname.lastname@example.org in the Google domain that is used for this tutorial. Therefore, we create the same user in WSO2 Identity Server.
- On the Main tab in the Management Console, click Add under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
Click Add New User. The following screen appears.
- Click Next >.
- Optionally, select the role(s) you want this user to have. If you have many roles in your system, you can search for them by name.
- Click Finish.
- Navigate to
httphttps://google.com/a/<ENTER_YOUR_DOMAIN>/acsand enter the email address (username) of the user you created.
You are navigated to WSO2 Identity Server's sign in screen.
Enter the username and password of the user you created.
You are navigated to the G-Suite of that domain and you can select the application you need to use.