Setting up SSO with Google Apps

The EmpowerID SSO framework allows you to integrate Google Apps with EmpowerID, making EmpowerID the identity provider for your organization's Google app account. In this way, users can access their corporate Google accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins or those of another trusted (third-party) identity provider that has been integrated with EmpowerID.

As a prerequisite to creating an SSO Connection for Google as a service provider in EmpowerID, you must have a Google Apps for Business or Education account with Google.

For specific directions on registering EmpowerID as an application in Google, see the information provided by Google at https://console.developers.google.com.

This topic describes how to set up SSO with Google Apps and is divided into the following activities:

To create a Google Apps application in EmpowerID

  1. From the Navigation Sidebar, navigate to the find protected application resource page by expanding Applications and clicking Manage Applications.
  2. From the Actions pane of Application Manager, click the Create Application action.
  3. This opens the Application Details form, which contains various tabs and fields for creating the application.

  4. From the General tab of the Application Details form, do the following:
    1. Type an appropriate name, display name and description for the application in the Name, Display Name and Description fields, respectively.
    2. In the Icon field, type ~Images/AppLogos/Google.png. This is the path to the Google image provided by EmpowerID. Users with access to the application will see this image representing Google in their Personal Applications page of the EmpowerID Web application.
    3. Select or deselect Allow Access Requests to specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
    4. Select or deselect Allow Claim Account to specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
    5. Select or deselect SSO Enabled to specify whether the application is an SSO app. This should be selected.
    6. Select or deselect Requires Account For SSO to specify whether users must have an account in the application for SSO. This should be selected.
    7. Select or deselect Allow Request Account to specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
    8. Select or deselect Login Is Email Address to specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.
    9. Select or deselect Make me the Application Owner to specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
    10. Configure Advanced Claim and Request Account Options - Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
  5. Click the Single Sign-On tab and do the following:
    1. Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.
    2. In the SAML Connection Information section that appears, select Google SSO Connection Settings from the SAML Application Template drop-down. This populates the SAML Connection Information section with the common SSO settings for Google Apps provided by the template.
    3. In the Display Name field of the SAML Connection Information section, type the name for the Google Apps SSO Connection that you want to appear to users in the EmpowerID user interfaces. By default EmpowerID populates the value of this field with the name you gave to the application above.
    4. Select the appropriate certificate to sign the SAML assertions sent to Google from the Certificate drop-down.
    5. Edit the value of the Assertion Consumer URL field, replacing " yourdomain.com " with the name of your Google Apps domain.

    6. When you have completed the above, the SAML Connection Information section of the form should look similar to the following image.

  6. Click the Users tab and do one of the following:
    • If you have not connected EmpowerID to your enterprise Google Apps account - Tick Create a New Account Directory or select Google from the Select existing Account Directory drop-down. If you select Create a New Account Directory, EmpowerID will create a special type of "tracking-only" account store, named after the application, that is internal to EmpowerID. A tracking-only account store account exists as a container within EmpowerID for storing user and group records apart from those located in the actual directory Google maintains for your Google Apps. If you select Google, EmpowerID uses the Google tracking-only account store that is configured out-of-the-box.
    • Although you have the option to create a "tracking only" account store for Google Apps, as a best practice you should connect EmpowerID to Google as doing so allows you to inventory and synchronize the user data in your Google Apps account with EmpowerID. In this way, you can create new Google accounts in EmpowerID and those accounts will created in Google and vice-versa. For more information, see Connecting to Google Apps.
    • If you have connected EmpowerID to your enterprise Google Apps account - Select the account store for your Google Apps from the Select existing Account Directory drop-down. EmpowerID uses this directory to map your Google Apps users with their corresponding EmpowerID Persons. Please note that you must add this account store to EmpowerID before it will appear in the drop-down.
  7. Click Add to Cart.
  8. Click the My Cart link and in the Cart dialog that appears, type a reason for creating the application and then click Submit.
  9. After EmpowerID creates the application, navigate to the SAML SSO Connections management page by expanding Admin > Applications and Directories > SSO Connections and clicking SAML.
  10. From the SAML Connections tab of the SAML SSO Connections management page, search for the Google SAML Connection you just created.
  11. From the SAML Connections grid, click the Display Name link.
  12. In the View One page for the application that appears, locate and copy the User Entered URL. This URL will need to be added to Google when you register EmpowerID there.
  13. Now that you have created the application in EmpowerID, the next step is to set up SSO between EmpowerID and Google in Google. For the specifics, see Google's instructions at https://console.developers.google.com.

    After registering EmpowerID in Google, you can test the SSO connection as outlined below.

To test the Google SSO application

  1. Log in to the EmpowerID Web application as the owner of the Google application you just created.
  2. From the Navigation Sidebar, navigate to the IT Shop by expanding Applications and clicking Request Access.
  3. In the IT Shop, search for the Google application you just created and click the Request Access link.
  4. Underneath Account Management, click either Claim Existing Account (if you have connected EmpowerID to Google and have a Google account that has been inventoried by EmpowerID) or click Request New Account (if you currently do not have a Google account that has been inventoried by EmpowerID). In our example, we are selecting Claim Existing Account.
  5. In the Register SSO Application Account form that appears, select Google (or whatever you named the SSO application when you created it) from the SSO Application drop-down, type your Google login in the SSO Application Login field and then click Submit.
  6. In the below image, the Navigation Sidebar has been collapsed to conserve screen real estate.

    EmpowerID sends a one-time password to the email address associated with your account.

  7. Type the one-time password in the Password field and then click Sumbit.
  8. Because you are the owner of the application, EmpowerID grants you access to the application. If you were not the owner, EmpowerID would route the request for access to the application to the owner for approval.
  9. From the Navigation Sidebar, click Login underneath Applications.
  10. You should see Google listed as on of your personal applications. Clicking the Google image directs you to Google where you will be seamlessly signed in.