Contents

  1. Introduction
  2. Requirements
  3. Create the SSO SAML App on Google Admin Console
  4. Create a Single Sign On configuration set in ezeep
  5. Enter the correct Service Provider Details on the Google Admin Console
  6. Activate the SAML application for everyone in Google Admin Console
  7. Login as a user

 

 

Introduction

 

SAML is today's standard when it comes to connecting the user management of a cloud service with a directory service. This document outlines how to setup SAML based login with Google accounts. After the setup you have enabled your users to authenticate in ezeep with their Google accounts and are able to print based on the rules that you set on ezeep. 

 

During the setup we will have to switch between the Google Administration Console and the ezeep administration portal. We highly recommend to open both portals simultaneously in separate browser windows. 

 

Google Admin Console

https://admin.google.com/ 

 

ezeep administrator portal

https://portal.ezeep.com/ 

 

Requirements

  • ezeep administrator account
  • Google G-Suite administrator account

Create the SSO SAML App on Google Admin Console

 

In the first step we need to create a SAML App in the Google Admin Console to connect to ezeep. 

Navigate to the SAML apps on the Google Admin Console. You find it on the Google Admin dashboard under Apps -> SAML apps or click on this link:

 

https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS 

 

Click on the + icon and pick  Setup my own custom app

 

 

screenshot: Enable SSO for SAML Application

 

 


 

 

Google will generate a custom SSO URL, an Entity ID and a certificate which we will need to enter in ezeep. Copy both URLs and download the certificate file to a secure location. 

 

screenshot: provide Google IdP Information

 

Click on next to proceed. 

 


 

 

On the next page you can enter some basic information for the ezeep app:

 

 

screenshot: Basic information for your Custom App 

 

 

Click on next again to get to Step 4. 


 

 

This will open the following screen to enter the Service Provider Details:

 

screenshot: Service Provider Details

 

 

To get this information, you need to create an ezeep Single Sign-On configuration set in the ezeep portal. Open the ezeep portal in a new browser window.

 
Create a Single Sign-On configuration set in ezeep

 

• Log in to your ezeep administrator account at https://portal.ezeep.com 

• Click on your account (your email address / display name in our menu on the left)

• Under Single Sign-On you will find the settings that you have set up (there should be none yet) 

• Click on “Add SSO” and chose SAML 2.0

• A new popup will open with SAML settings

 

Our SAML settings include all basic settings that you need to set up for SAML to work properly. Enter your specific information and remember to save the settings:

 

screenshot: SAML settings in ezeep

 


 

 

Give the SSO configuration set a well suited name on the top of the popup (RENAME ME) and fill in the following fields:

 

Organization identifier 

This is your Organization ID which is unique across our whole solution. Each SAML setting needs one Organization ID. It will be the organization code that your users will type in as Organization ID to be automatically forwarded to your custom Google login page. 

 

It can also be accessed to automatically login to ezeep via Google by visiting this link: https://accounts.ezeep.com/auth/signin/saml/{{ YOUR_ORGANIZATION_IDENTIFIER }}  

 

Entity ID

The URL that Google provided you in the Google Admin Portal (Entity ID)

 

Identity Provider Login URL 

The Login URL that Google provided you in the Google Admin Portal (SSO URL)

 

Login Binding type

Choose POST-Binding

 

Identity Provider Logout URL

This is the URL that we redirect the user to when the user actively wants to log out of a session in our portal.

 

Logout binding type

Choose Redirect-Binding

 

Identity Provider Certificate (Base64 encoded)

Pick the certificate that you downloaded from the Google Admin Console to the secure location.

 


 

 

After finishing the configuration click on save to store the configuration set.

 

screenshot: SAML settings example for GSuite

 

Now that your Single Sign On configuration set is created, you can click on XML and will automatically forwarded to an XML file. Find the following line on the bottom of the XML code (should be one of the last lines of code)

 

With the information from the XML file we can proceed in on the Google Admin Console.

 

Enter the correct Service Provider Details on the Google Admin Console

 

Now back at the Google Admin Console on Step 4: Service Provider Details we can enter the necessary information. 

 

ACS URL

You can find the ACS (Assertion Consumer Service) URL in the ezeep configuration. For this, navigate on the ezeep portal to the Single-Sign on settings under account – Single Sign On. On this page, click on the XML link of the configuration (as described above):

 

 

screenshot: export SAML settings as XML

 

 

This will open a XML file. At the bottom of this file you will find the following line:

 

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.ezeep.com/auth/saml/122629ef-08b1-4631-b46c-5dedbf08cb51/?acs" index="1"/>

 

The full URL stored in Location= is the ACS URL that needs to be entered as the ACS URL (without the quotation marks) e.g. 

https://accounts.ezeep.com/auth/saml/122629ef-08b1-4631-b46c-5dedbf08cb51/?acs 

 

Entity ID

https://accounts.ezeep.com/auth/saml/ 

 

Signed Response 

needs to be unchecked

 

Name ID

Needs to be set to Primary email

 

Name ID Format

Needs to be EMAIL

 

 


 

 

Now your configuration will look like this

 

screenshot: Service Provider Details

 

Click on next to proceed. 

 


On the last step we need to create the mappings so that users can be automatically mapped to ezeep rules based on their department.  When a user knocks on our portal login door with a SAML token, we consider the token and evaluate certain attributes from it and use them accordingly. These attributes need to identify the user and the ezeep groups the user should be a member of. This way we can directly make printers accessible to users based on the groups and policies that exist in your ezeep portal. Note: We will do a string comparison from the Department value in your Google organization with ezeep group names and assign the user to the according group. If you have a “Marketing” department in Google, you will need to create a matching “Marketing” group in ezeep.

 

Add three mappings by clicking “Add new mapping” and enter the following information for them:

 

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups 

Employee Details, Department

 

first_name

Basic information, First Name

 

last_name

Basic information, Last Name

 

 

screenshot: Attribute Mapping

 

Activate the SAML application for everyone in Google Admin Console

 

 

 

screenshot: Activate SAML app for everyone in Google Admin Console

 

When this is set up, the integration is set up and activated for your users in your Google Organization

 


Login as a user

 

After ezeep and the Google organization are linked via SAML, users can simply go to portal.ezeep.com and click on “Sign in with Organization ID” or go directly to https://accounts.ezeep.com/auth/signin/saml/ 

 

On this page users can enter the Organization identifier that was setup in the ezeep Single Sign On configuration set (In Step 2) and will be redirected automatically to your Google login page to authenticate. Alternatively you can provide a direct link in the following format:

 

https://accounts.ezeep.com/auth/signin/saml/{{ YOUR_ORGANIZATION_IDENTIFIER }} 

 

screenshot: sign in to ezeep with SAML