SSO Google G-Suite Setup

The following instructions set up an identity provider with Google G-Suite.

Introduction

Google G-Suite users can use their managed Google account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO) using SAML 2.0. Tehama can be integrated with G-Suite through SAML 2.0 and presented as a managed application alongside other G-Suite integrated applications.

Once enabled, authentication to Tehama must be made through G-Suite - local authentication through https:/app.tehama.io is no longer possible except by using the Tehama Admin account. G-Suite/Tehama Integration is limited to authentication only.

User accounts are required for both G-Suite and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via G-Suite SSO.

Integration Summary

Integration with G-Suite SSO is a four step process as follows.

  1. Obtain initial configuration settings from Tehama
  2. Create an application in G-Suite
  3. Obtain the required Federation Metadata XML from G-Suite
  4. And enter it back into Tehama

Prerequisites for G-Suite Integration

  • A Tehama Account with Admin privileges
  • An G-Suite account with Super Admin privileges

Setup Time - 10 minutes

Create a connected application

Login to Tehama using the Admin Account and click the SETTINGS tab in the navigation bar.

Select the AUTHENTICATION tab.

Check "Enable SAML Single-Sign on".

Tehama Organization Authentication Page with SAML-enabled

Open a second browser tab and sign in to your G-Suite Admin Account.

Google Admin Console Top Level Page

Select Apps from the top level menu.

Google Apps Page

Select SAML Apps.

Select the Plus Symbol and then select Create New App.

Google Create New SAML App Page

Select Setup My Own Custom App.

Google Create New SAML App Page

Click on the IDP metadata Download link; a new browser tab will open.

Copy the IDP metadata to the clipboard, and click next to continue.

Return to the Tehama Web UI and paste the IDP metadata from the clipboard into the Federation Metadata XML box.

Tehama Organization Authentication Page with SAML-enabled and XML metadata added to page

and click SAVE.

Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.

Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.

Return to the G-Suite Admin Console tab to configure the basic application settings.

Google Create New SAML App Page

Provide an appropriate application name, description and logo, and click Next to continue.

You may download and save a copy of this image to use as the logo    Tehama Logo

Now copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page (this field is visible on the page when "Enable SAML Single-Sign on" is checked) and paste it into the ACS URL field on the G-Suite admin page. Then copy the Entity ID from the same place and paste it into the Entity ID field.

Google Create New SAML App Page

Leave all other fields at their default values.

Click next to display the final configuration page and click Finish.

Configuration is now complete.

You will still need to return to the G-Suite Console to assign User and Group settings as appropriate for your organization before it will be possible to access Tehama using G-Suite integration.