Use this guide to configure your Google Apps as a single sign-on Identifier Provider (IdP) for your Skeddly account. 

The setup is very similar to setting up SAML for AWS:
https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps

Step 1: Get the SAML metadata from your Google Apps account

Sign-in to your domain administrator for your Google Apps account.

Click on "Security", then "Set up single sign-on (SSO)". You should see something like the following:

Make a note of the idpid  value at the end of the "SSO URL". This is your Google customer ID and you will need to know this later. For these purposes, I have anonymized my customer ID to be XXXXXX , but yours will be an actual ID number.

Click the button labelled "DOWNLOAD IDP METADATA".

An XML file should be downloaded to your computer. Keep track of this file, you'll need it for the next step.

Step 2: Create a Skeddly Identity Provider

Follow these instructions to create an Identity Provider in your Skeddly account. When creating your Identity Provider, upload the metadata XML file you downloaded from Google Apps in step 1.

Make note of the following 2 pieces of information:

  • The SRN of your Skeddly Identity Provider
  • The SRN of one Skeddly Managed Policy that you will apply to your user

Step 3: Add the Skeddly SAML attributes to your Google Apps user profile

The first task before setting up the SAML app in your Google Apps account is to add the SAML attributes that Skeddly expects in order to allow a SAML-based authentication to take place. You must add the following SAML attribute:

When configuring your SAML app in your Google Apps account, you will be prompted to provide attribute mappings from your Google Apps user profile. This includes details such as Skeddly Managed Policies available to the user and your Skeddly Identity Provider SRN. First, add these details as custom fields to the Google Apps user profile, which you can do by creating a JSON schema.

Note: You must create this JSON schema before creating the SAML app for your Google Apps account. If you create the JSON schema after creating the SAML app, the schema will not appear as a selectable option during configuration.

To create the JSON schema, you use the Schemas: Insert request from the Google Directory API that will take you to a Google developer webpage, allowing you to enter the required request fields and then click the "EXECUTE" button to have the https POST request to the Directory API automatically generated for you. This will require authentication.

On the Schemas: Insert page, in the "Try this API" section, enter the customer ID in the customerId field, which you noted when downloading the metadata file in Step 1. Then click inside the editing box for the Request Body. Paste the following text in the box.

{
    "fields":
      [
        {
            "fieldName": "roles",
            "fieldType": "STRING",
            "readAccessType": "ADMINS_AND_SELF",    
            "multiValued": true
        }
    ],
    "schemaName": "SSO"
}

Click the button labelled "EXECUTE". A completed Auth 2.0 Scopes dialog box will be presented. Click "EXECUTE" again and look for a successful http (200) response on the page. The resulting request will create a schema called SSO that allows you to add the names of one or more Skeddly Identity Provider and Managed Policy SRNs to a Google Apps user profile, granting the user permission when signing in to the Skeddly account.

Note: If you see a “Permission denied” message when using the API, check that administrative API access has been enabled. For more information, see the Administrative APIs guide.

After created the schema, you can add some SSO Skeddly fields to your Google App user profile. To do this, use another Google Directory API request, Users: Patch.

From this web page, as before, use the "Try this API" section to paste the following text into the Request Body. Be sure to replace the highlighted placeholder values with your values from Skeddly that you noted earlier. Type your email address in the userKey field. Click "EXECUTE", and look for a successful http (200) response.

{
  "customSchemas":
  {
    "SSO":
    {
      "roles": [
      {
       "value": "<identity provider SRN>,<managed policy SRN>",
       "customType": "Developer"
      }
     ]
    }
  }
}

Step 4: Set up the SAML app in Google Apps

On the "Enable SSO for SAML Application" dialog, click on "Setup my own custom app".

On the "Google IdP Information", there's no need to re-download the metadata. Just click "Next".

On the "Basic information for your Custom App" dialog, specify:

  • Application Name: Skeddly
  • Description: Anything you want

On the "Service Provider Details" supply the information below (the certificate may be different):

  • ACS URL: https://app.skeddly.com/sso/saml/ 
  • Entity ID: https://app.skeddly.com/ 
  • Signed Response: Yes 
  • Name ID: Basic Information , Email Address 
  • Name ID Format: Unspecified 

On the "Attribute Mapping" page, add an attribute:

  • https://skeddly.com/SAML/Attributes/Roles 
  • SSO 
  • roles  (you created this before)

Step 5: Grant user access

When you create the SAML app, by default it is turned off. This means that for users logged in to their Google Apps account, the SAML app will not be visible to them. To turn on the SAML app for AWS, go to your Google Admin console (using your super administrator credentials), click "Apps", and then click "SAML Apps". 

From the right action menu, click "ON for everyone".

After that, Skeddy should appear in your app list:

Did this answer your question?