This article was written and submitted by an external contributor. The Google Apps team thanks Radhika Krishnamurthy for her time and expertise.
CA Siteminder is a centralized Internet access control system that provides single sign-on along with other authentication and authorization services. This article goes through the typical configuration steps for setting up Siteminder with the Google Apps SSO service.
Siteminder 6 SP5 Cr009 needs to be applied to the Policy Server, all web agent machines and web agent option packs. This patch is necessary as it contains a fix for the SAML 2.0 SP-Initiated SSO.
Create a new Service Provider named "googleapps" under Domain tab > Known Affiliates > SAML Service Provider.
Provide the Authentication URL, usually pointing to the web agent redirect.jsp file.
Provide all users who can access the SP resource.
Go to the Name IDs tab.
Select Email Address as the Name ID Format since this is what is passed in the SAML assertion.
Specify Attribute Name as "mail", which is the respective field name in the AD.
Select User Attribute as the Name ID Type.
Go to the General tab.
Enter "google.com" for the SP ID—this is the value that will be provided by the customer (Google). This is the same value that is provided along with the SSO service URL.
Enter your Issuer ID for the IdP ID.
Uncheck the Disable Signature Processing checkbox.
For the Issuer DN value, open the certificate and go to the Details tab. Copy the values from the fields Issuer and Serial Number to the corresponding textboxes in the General tab. Note that the Serial Number value will have spaces intertwined with digits—remove all spaces before copying it to the General tab.
Go to the SSO tab.
Specify the Audience value as "https://www.google.com/a/example.com/acs".
The Assertion Consumer Service value is also "https://www.google.com/a/example.com/acs".
Go to the SLO tab to configure the Logout URLs.
Check the HTTP-Redirect checkbox.
The SLO Location URL is "http://<web server>/affwebservices/public/saml2slo".
Finally, you'll need to enable and set up SSO on Google Apps using the Google Apps control panel. This involves selecting a checkbox, filling out appropriate sign-in/sign-out/change password URLs, and uploading your verification certificate. For more information, see the following articles:
That completes the configuration for the SAML 2.0 implementation of SP-Initiated SSO.
At first you may find the X509 certificate created at Siteminder will not be understood by Google. The error message will be "This account cannot be accessed because the login credentials could not be verified." Repeating the steps above from the beginning should fix the problem.
Another error message you may encounter is "This service cannot be accessed because your login credentials could not be verified. Please log in and try again." This error can result from too small of a time window for Assertion validity. Increasing the Skew time to 300000 in Siteminder should resolve the issue.
This work is licensed under a
Creative Commons Attribution-No Derivative Works 3.0 United States License.
|
