This document shows how to integrate the Ironchip authenticator via SAML into Google Workspace to validate existing Ironchip users.
Create the SAML application on Ironchip
In the Ironchip dashboard, go to the applications section.
-png-1.png?width=482&height=261&name=Untitled%20(3)-png-1.png)
Click on new application and choose the custom application option.
-png-1.png?width=565&height=381&name=Untitled%20(4)-png-1.png)
In this tab, give it an identifying name, select SAML type application and if you want to add an image as the application logo. Do not close this tab.
-png-1.png?width=609&height=364&name=Untitled%20(5)-png-1.png)
Configure Google Workspace
Before logging into the google admin panel, download the Ironchip metadata file.
-png-1.png?width=582&height=366&name=Untitled%20(6)-png-1.png)
Now login to the google admin panel, go to Security > Authentication > SSO with external IdP and add a SAML profile.
-png.png?width=688&height=145&name=Untitled%20(8)-png.png)
Open the metadata downloaded above and fill in the fields with the following data:
-
For the entity ID of the IDP use the property "EntityID" in the XML tag "EntityDescriptor".
-
For the URL of the access page use the "Location" property in the "SingleSignOnService" XML tag.
-
For the URL of the logout page, look again for the "Location" property in the XML tag "SingleLogoutService".
-
For the upload of the required certificate, generate a new file with extension ".crt" and save in that file the result of pasting inside the first field of this tool the content of the XML tag "X509Certificate" of the metadata, both certificates are identical:
This tool will add the necessary headers for Google to detect the certificate as valid.
Once the file is saved, upload it.
The rest of the fields can be left as default, save the changes.
-png.png?width=622&height=638&name=Untitled%20(9)-png.png)
Get metadata URL for Ironchip
To obtain the URL of the metadata requested by the Ironchip platform, modify the following code with the corresponding data:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2122-09-16T10:40:54Z" cacheDuration="PT604800S" **entityID**="google.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
md:NameIDFormaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" **Location**="<https://www.google.com/acs>" index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
- Replace the content of entityID with the entity ID found in the SP details section.
- Replace the content of Location with the ACS url found in the SP details section.
-png.png?width=633&height=228&name=Untitled%20(10)-png.png)
Once you have generated this file, upload it to a public Internet address and provide this URL in raw format by adding it to the Metadata URL field in the Add new service dialog on the Ironchip platform.
Activating SSO in Google Workspaces
To activate login through the newly created SAML integration, navigate back to Security > Authentication > External identity provider SSO in your Google Admin interface.
Click on "Manage SSO profile assignments". On the left side, you can configure the groups or individuals who will authenticate using Ironchip's second factor of authentication.
Remember to configure these users in the SAML service you have created in Ironchip.