How to enable OnApp single sign on via Google Suite
The OnApp cloud management platform gives you several ways to authenticate your users by offering services such as 2-factor authentication and OAuth – and by integrating with a SAML Identity Provider, which is what I’m going to talk about today.
One of the easiest SAML Identity Providers to configure is the application that comes as part of Google Apps (now called GSuite). You can register for GSuite with your own domain and you get access to the full suite of services that Google offers. One of these applications is the configuration of SAML, which will use your user database from within GSuite to authenticate when you log in to OnApp.
One of the best reasons to use this is to integrate with G Suite’s own 2-factor authentication system, using the Google Authenticator to allow additional 2 factor authentication when logging into OnApp.
In order for the user to be added to OnApp automatically, we need to add a custom field to GSuite. Well, that would be the preferred way of doing it, but unfortunately that’s not possible in GSuite at the time of writing this. Instead, the user will need to be created inside of OnApp manually, and then as long as the email address is the same in GSuite and OnApp, the user will authenticate via SAML successfully.
In order to get started, we will need to configure the SAML application within G Suite:
- Log in to your G Suite admin console: https://admin.google.com
- Click on the “Apps” button and then “SAML apps”
- Click the “+” button to enable SSO for a SAML Application
- On the first stage of the add wizard, select “Setup my own custom app”
- Make note of the SSO URL, Entity ID and download the generated certificate
- Add your own application name (eg, OnApp) and add an option description and logo
At this point, you will be on step 4/5 of the “Add” wizard – we need to wait here for now. In a new window or tab, open up your OnApp install and browse to Settings > Authentication and then click the “SAML Id Providers” tab.
Here we will add a new SAML Identity Provider to OnApp:
- Fill in the “Add new SAML Identity Provider” wizard as follows:
- Name: The name your customers will see as the link to login
- Icon: Upload an Icon for this link if you wish.
- Issuer: This should be the same as the “Entity ID” inside the GSuite wizard. Something like “Google Apps” will do fine.
- Idp sso target url: This should be the “SSO URL” from the GSuite wizard that we made a note of earlier.
- Idp cert fingerprint: Create a sha1 fingerprint of the downloaded certificate from the GSuite wizard./li>
- Idp cert: Upload the certificate that we downloaded from the GSuite wizard.
- Nameid format: Set to “entity”
- Under the “Attributes Mapping” section, just add the following and leave the rest blank:
- User email key: onapp_email
- Click on the name of the SAML IDP you just created and open the “link to metadata”
- From the metadata, find the <md:AssertionConsumerService Location” tag and copy the URL that this contains. It will look something like: https://<onapp-cp-url>/users/auth/saml/callback?provider_id=1. Make a note of this as the “ACS URL” as we will be using this in the GSuite Wizard
Now go back to the GSuite Wizard:
- Fill in the remainder of the options as follows:
- ACS URL: Get this from the OnApp metadata as described in the previous step.
- Entity ID: Get this from the OnApp SAML information from the “Issuer” section.
- Start URL: Leave this blank.
- Signed Response: Leave this blank.
- Name ID: Leave this as default, it should be “Basic Information” in the first section and “Primary Email” in the second section.
- Name ID Format: Set this to “ENTITY”.
- Click Next.
- Click “Add New Mapping”.
- Here we will add the same field from the OnApp Attribute Mapping:
- Application Attribute: onapp_email
- Category: Basic Information
- User field: Primary Email
- Click Finish.
Now, if you open the URL to your OnApp control panel in a new window (log out of any previous sessions first!), you will see a section below the login screen with a link to login via SAML.
Upon clicking this link, it will redirect you to Google where you will login on their site, and then get passed back to OnApp if there is a user inside of OnApp with the same email as your GSuite account.