Table of Contents:
To setup SAML-based single sign-on within Google Workspace, please follow the below steps:
- Step 1. Access your SAML settings in CanIPhish
- Step 2. Create an Application in Google Workspace
- Step 3. Configure SSO in CanIPhish
- Step 4. Assign the CanIPhish Application to users in Google Workspace
Step 1. Access your SAML settings in CanIPhish
1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.
1.2. Click on Authentication Settings > Learner Single Sign-On to show your SSO configuration.
1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).
Step 2. Create an Application in Google Workspace
2.1. Login to Google Workspace with an admin account (i.e. https://admin.google.com/).
2.2. In the Google Workspace menu (on the left), click "Apps > Web and mobile apps.
2.3. Click "Add app" > "Add custom SAML app"
2.4. Give the app a name of your choosing (e.g. CanIPhish Learner Dashboard) and then click Continue.
Optional: If you want to upload an App icon. A CanIPhish logo can be downloaded here.
2.5. Click "DOWNLOAD METADATA" under Option 1. Make a note of this downloaded file, we'll need it later. Once downloaded, click Continue.
2.6. In the ACS URL field, enter the "Single Sign-On URL" value copied earlier from CanIPhish.
2.7. In the Entity ID field, enter the Audience URI (SP Entity ID)" value copied earlier from CanIPhish.
2.8. In the Name ID format field, select EMAIL from the dropdown.
2.9. Leave the Name ID field as its default value (i.e. Basic Information > Primary email) and click Continue.
2.10. Under the Attributes heading, click the ADD MAPPING button.
2.11. In the "Google Directory attributes" field, select "Primary email" from the dropdown.
2.12. In the "App attributes" field, enter the following value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
2.13. Click Finish.
Step 3. Configure SSO in CanIPhish
3.1. Jump back into the CanIPhish Cloud Platform and traverse to the Learner Single Sign-On section.
3.2. Under the "Configuration For CanIPhish" section, upload the Metadata Document downloaded earlier from Google Workspace. When the file is specified, click the Upload Document button.
3.3. Once successfully uploaded, you can view the document by clicking the metadata.xml text that appears.
3.4. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in Google Workspace. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
3.5. By default, CanIPhish will send users an access token to log in to their learner dashboard. If SSO is configured, you could choose to Allow or Prohibit this method of access. We recommend providing users with the option to use their preferred access method and leave this as Allowed.
3.6. Click Activate SSO!
3.7. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.
Step 4. Assign the CanIPhish Application to users in Google Workspace
4.1. Jump back into the Application created in Google Workspace and click anywhere in "User access" heading (Don't click "View details" as that'll take you to a knowledgebase article).
4.2. Click on the Groups or organizational units that you want to have access to the CanIPhish Cloud Platform, and enable the app for these users/groups/org units by switching the toggle to ON and clicking SAVE or OVERRIDE.
Getting single sign-on setup can be complex. If you run into any issues, please don't hesitate to contact the team at CanIPhish for assistance.
Comments
0 comments
Please sign in to leave a comment.