Contents
- Introduction
- Requirements
- Create the SSO SAML App on Google Admin Console
- Create a Single Sign On configuration set in ezeep
- Enter the correct Service Provider Details on the Google Admin Console
- Activate the SAML application for everyone in Google Admin Console
- Login as a user
Introduction
SAML is today's standard when it comes to connecting the user management of a cloud service with a directory service. This document outlines how to setup SAML based login with Google accounts. After the setup you have enabled your users to authenticate in ezeep with their Google accounts and are able to print based on the rules that you set on ezeep.
During the setup we will have to switch between the Google Administration Console and the ezeep administration portal. We highly recommend to open both portals simultaneously in separate browser windows.
Google Admin Console
ezeep administrator portal
Requirements
- ezeep administrator account
- Google G-Suite administrator account
Create the SSO SAML App on Google Admin Console
In the first step we need to create a SAML App in the Google Admin Console to connect to ezeep.
Navigate to the SAML apps on the Google Admin Console. You find it on the Google Admin dashboard under Apps -> SAML apps or click on this link:
https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS
Click on the + icon and pick Setup my own custom app
Google will generate a custom SSO URL, an Entity ID and a certificate which we will need to enter in ezeep. Copy both URLs and download the certificate file to a secure location.
Click on next to proceed.
On the next page you can enter some basic information for the ezeep app:
Click on next again to get to Step 4.
This will open the following screen to enter the Service Provider Details:
To get this information, you need to create an ezeep Single Sign-On configuration set in the ezeep portal. Open the ezeep portal in a new browser window.
Create a Single Sign-On configuration set in ezeep
• Log in to your ezeep administrator account at https://portal.ezeep.com
• Click on your account (your email address / display name in our menu on the left)
• Under Single Sign-On you will find the settings that you have set up (there should be none yet)
• Click on “Add SSO” and chose SAML 2.0
• A new popup will open with SAML settings
Our SAML settings include all basic settings that you need to set up for SAML to work properly. Enter your specific information and remember to save the settings:
Give the SSO configuration set a well suited name on the top of the popup (RENAME ME) and fill in the following fields:
Organization identifier
This is your Organization ID which is unique across our whole solution. Each SAML setting needs one Organization ID. It will be the organization code that your users will type in as Organization ID to be automatically forwarded to your custom Google login page.
It can also be accessed to automatically login to ezeep via Google by visiting this link: https://accounts.ezeep.com/auth/signin/saml/{{ YOUR_ORGANIZATION_IDENTIFIER }}
Entity ID
The URL that Google provided you in the Google Admin Portal (Entity ID)
Identity Provider Login URL
The Login URL that Google provided you in the Google Admin Portal (SSO URL)
Login Binding type
Choose POST-Binding
Identity Provider Logout URL
This is the URL that we redirect the user to when the user actively wants to log out of a session in our portal.
Logout binding type
Choose Redirect-Binding
Identity Provider Certificate (Base64 encoded)
Pick the certificate that you downloaded from the Google Admin Console to the secure location.
After finishing the configuration click on save to store the configuration set.
Now that your Single Sign On configuration set is created, you can click on XML and will automatically forwarded to an XML file. Find the following line on the bottom of the XML code (should be one of the last lines of code)
With the information from the XML file we can proceed in on the Google Admin Console.
Enter the correct Service Provider Details on the Google Admin Console
Now back at the Google Admin Console on Step 4: Service Provider Details we can enter the necessary information.
ACS URL
You can find the ACS (Assertion Consumer Service) URL in the ezeep configuration. For this, navigate on the ezeep portal to the Single-Sign on settings under account – Single Sign On. On this page, click on the XML link of the configuration (as described above):
This will open a XML file. At the bottom of this file you will find the following line:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.ezeep.com/auth/saml/122629ef-08b1-4631-b46c-5dedbf08cb51/?acs" index="1"/>
The full URL stored in Location= is the ACS URL that needs to be entered as the ACS URL (without the quotation marks) e.g.
https://accounts.ezeep.com/auth/saml/122629ef-08b1-4631-b46c-5dedbf08cb51/?acs
Entity ID
https://accounts.ezeep.com/auth/saml/
Signed Response
needs to be unchecked
Name ID
Needs to be set to Primary email
Name ID Format
Needs to be EMAIL
Now your configuration will look like this
Click on next to proceed.
On the last step we need to create the mappings so that users can be automatically mapped to ezeep rules based on their department. When a user knocks on our portal login door with a SAML token, we consider the token and evaluate certain attributes from it and use them accordingly. These attributes need to identify the user and the ezeep groups the user should be a member of. This way we can directly make printers accessible to users based on the groups and policies that exist in your ezeep portal. Note: We will do a string comparison from the Department value in your Google organization with ezeep group names and assign the user to the according group. If you have a “Marketing” department in Google, you will need to create a matching “Marketing” group in ezeep.
Add three mappings by clicking “Add new mapping” and enter the following information for them:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Employee Details, Department
first_name
Basic information, First Name
last_name
Basic information, Last Name
Activate the SAML application for everyone in Google Admin Console
- Open the Google Admin Console and navigate to Apps -> SAML Apps or open this link: https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS
- Find the ezeep SAML app that we just configured
- On the right hand side click on the three dots menu and click on ON for everyone or ON for some – depending on who you want to give access to ezeep
When this is set up, the integration is set up and activated for your users in your Google Organization
Login as a user
After ezeep and the Google organization are linked via SAML, users can simply go to portal.ezeep.com and click on “Sign in with Organization ID” or go directly to https://accounts.ezeep.com/auth/signin/saml/
On this page users can enter the Organization identifier that was setup in the ezeep Single Sign On configuration set (In Step 2) and will be redirected automatically to your Google login page to authenticate. Alternatively you can provide a direct link in the following format:
https://accounts.ezeep.com/auth/signin/saml/{{ YOUR_ORGANIZATION_IDENTIFIER }}