Table of Contents:
- Step 1. Access your SAML settings in CanIPhish
- Step 2. Create an Application in Google Workspace
- Step 3. Configure SSO in CanIPhish
- Step 4. Update the Google App to support IdP-initiated SSO
- Step 5. Assign the CanIPhish Application to users in Google Workspace
- Step 6. Provision a role for users in CanIPhish
- Appendix A: Additional Guidance For Common Issues
To setup SAML-based single sign-on within Google Workspace, please follow the below steps:
Step 1. Access your SAML settings in CanIPhish
1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.
1.2. Click on Authentication Settings > Platform Single Sign-On to show your SSO configuration.
1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).
Step 2. Create an Application in Google Workspace
2.1. Login to Google Workspace with an admin account (i.e. https://admin.google.com/).
2.2. In the Google Workspace menu (on the left), click "Apps > Web and mobile apps.
2.3. Click "Add app" > "Add custom SAML app"
2.4. Give the app a name of your choosing (e.g. CanIPhish Cloud Platform) and then click Continue.
Optional: If you want to upload an App icon. A CanIPhish logo can be downloaded here.
2.5. Click "DOWNLOAD METADATA" under Option 1. Make a note of this downloaded file, we'll need it later. Once downloaded, click Continue.
2.6. In the ACS URL field, enter the "Single Sign-On URL" value copied earlier from CanIPhish.
2.7. In the Entity ID field, enter the Audience URI (SP Entity ID)" value copied earlier from CanIPhish.
2.8. In the Name ID format field, select EMAIL from the dropdown.
2.9. Leave the Name ID field as its default value (i.e. Basic Information > Primary email) and click Continue.
2.10. Under the Attributes heading, click the ADD MAPPING button.
2.11. In the "Google Directory attributes" field, select "Primary email" from the dropdown.
2.12. In the "App attributes" field, enter the following value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
2.13. Click Finish.
Step 3. Configure SSO in CanIPhish
3.1. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.
3.2. Under the "Configuration For CanIPhish" section, upload the Metadata Document downloaded earlier from Google Workspace. When the file is specified, click the Upload Document button.
3.3. Once successfully uploaded, you can view the document by clicking the metadata.xml text that appears.
3.4. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in Google Workspace. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
3.5. (Optional) Enter the email address of an existing CanIPhish user who should still be allowed to login to CanIPhish directly using an email address and password (i.e. without SSO). We recommend adding at least 1 user. In the event there is an issue with the SSO config, you won't be entirely locked out of your tenant.
3.6. Click Activate SSO!
3.7. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.
3.8. You will notice a new field called "SSO Relay State" has appeared under the "Configuration For The Identity Provider" section. Make a note of this value as it will be used in Step 4.
Step 4. Update the Google App to support IdP-initiated SSO
4.1. Jump back into the Application created in Google Workspace and click inside the "Service provider details" section to edit it.
4.2. Paste the "SSO Relay State" value copied in Step 3.8 into the "Start URL" field, and then click SAVE.
Step 5. Assign the CanIPhish Application to users in Google Workspace
4.1. In the Google Workspace Application, click anywhere in the "User access" heading (Don't click "View details").
4.2. Click on the Groups or organizational units that you want to have access to the CanIPhish Cloud Platform, and enable the app for these users/groups/org units by switching the toggle to ON and clicking SAVE or OVERRIDE.
Step 6. Provision a role for users in CanIPhish
6.1. Jump back into your CanIPhish Cloud Platform account and traverse back to the "Platform Management" page (scrolling to the top to see "User Management").
6.2. If there are any users who you've assigned the new Google Workspace Application to, who don't yet have a role within your CanIPhish tenant, click on the "Add New User" button. If everyone already has a role, you can skip Step 5.
6.3. In the respective field, provide the First & Last Name, Email Address, and Role of the user (i.e. Platform Admin, Platform User, or Platform Reporter). Once complete, click the Save button.
6.4. The user will be sent an email notification inviting them to finalize the creation of their new account and login using single sign-on. You're all done. SSO has been successfully configured!
Appendix A: Additional Guidance For Common Issues
Receiving A Generic Authentication Error From CanIPhish
Please confirm that under step 2.11 the additional claim name exactly matches the SAML Attribute Mapping listed in CanIPhish. If there is a mismatch or this additional claim doesn't exist, email addresses won't flow through correctly. The value should be as follows:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Once this is correct, please Deactivate the SSO configuration and then Reactivate the SSO configuration. This resets SSO accounts on our end and will allow you to login.
Receiving A RelayState Error
If you've just setup SSO or have made any changes within the Google Workspace Application, please wait up to 5 minutes for the configuration to flow through Google's systems. If the issue is still occurring 5 minutes after the last configuration update was made, please contact the CanIPhish Support Team for assistance.
Comments
0 comments
Please sign in to leave a comment.