Single Sign-On (SSO) - Google Active Directory Setup Guidance

A customer may configure their own SAML2 compliant IdP in order to authenticate application users against an external data source.  This can have significant benefits for the customer and their users in terms of ease of authentication, login security, and simplified administration.  We officially support the Google Workspace IdP provider.

Five pieces of information are required to set up the trust relationship between an application and an IdP

• Unique identifier (EntityID) of the application
• The application endpoint (URL) for the Attribute Consumer Service (ACS)
• Unique identifier (EntityID) of the IdP
• Signing certificate of IdP to ensure the integrity of the authentication response
• Authentication endpoint URL of IdP

Entity IDs must be globally unique and are commonly supplied in the form of the https url to the IDP or application (although this is not required).  For a Case Manager application, this is https://casemanager.co.uk/<customer>/ where <customer> is replaced with the customer/instance name.  The trailing slash is important.  The corresponding ACS url is https://casemanager.co.uk/<customer>/jaxrs/saml/acs (which does not have a trailing slash)

The customer must supply the EntityID for their IdP, the authentication URL and the certificate.  

➡ Note: It is important that the values are configured exactly the same on both sides of the relationship else the login process will fail, sometimes with errors that are not immediately intelligible

Google Workspace

1. On Admin control panel, select 'Apps → Web and Mobile Apps'.
2. Select 'Add App → Add 'custom SAML app'.
3. Enter a name e.g. 'IIZUKA Case Manager'.
4. Optionally, add a description and upload an app icon.
5. Click 'Continue'.
6. Record the displayed SSO URL as the service URL described above.
7. Record the displayed Entity ID.
8. Download Certificate.
9. Click 'Continue'.
10. Once the above has been completed, you will need to download the certificate, using the Base64 option.

11. Send over the SSO URL and Service URL from Step 6. and the Base64 Certificate from Step 10.
    
    

➡ Note: To send these details securely, you should make use of a secure channel e.g a password protected ZIP file or spreadsheet.