cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure GSUITE as SAML as IDentifie Provided

SOLVED
Contributor

How to configure GSUITE as SAML as IDentifie Provided

Hi good morning,

 

I have two PSA5000 in Active/PAssive cluster.

 

Now I like to configure access to SSLVPN by GSUITE user and not local user.

I search documentation, but I can't configure it.

 

I did these steps

1) On Pulse

In System -> SAML -> Setting test.mydomain.com

 

2) On GSUITE 

Create in App Settings SAML server with this config:

ACS URL = https://test.mydomain.com/dana/home/index.cgi (my login page of sslvpn)

Entity ID = https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1 (see in Auth Servers > GSUITE_SAML > Settings Connect Secure Entity Id)

Attribute Mapping:

Email - Basic Information - Primary Email

FirstName - Basic Information - First Name

LastName - Basic Information - Last Name

 

3) ON PUlse

Auth Servers > GSUITE_SAML > Settings

SAML Version: 2.0
Connect Secure Entity Id: https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Configuration Mode: Manual Manual
Identity Provider Entity Id: https://accounts.google.com/o/saml2?idpid=xxxxxxxxx
Identity Provider Single Sign On Service URL: https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx

 

4) On Pulse

in Sign-in Policy Set USers to use GSUITE_SAML created before.

 

 

When I try to connect to https://test.mydomain.com I see the GSUITE autenticationm insert email and password, and after the system don't redirect to sslvpn home page

 

Could we help me please?

 

Thanks.

Marco

20 REPLIES 20
Moderator
Moderator

Re: How to configure GSUITE as SAML as IDentifie Provided

Hi Marco,

 

It seems that you have configured the ACS URL incorrectly on the GSuite (IDP) side.

 

Please try replacing the https://test.mydomain.com/dana/home/index.cgi URL with https://test.mydomain.com/ if you have mapped the SAML realm to */ sign-in URL on the VPN server.

 

Thanks,
Ray.

Pulse Connect Secure Certified Expert
Contributor

Re: How to configure GSUITE as SAML as IDentifie Provided

     

Hi Ray,

thank you so much for your reply.

 

I changed the ACS url but I don't understand where I can see how I set the mapped the SAML realm to */ sign-in URL on the VPN server.

Is it in Authentication -> Signing In > Sign-in Policies 

 

Thanks

Marco

Moderator
Moderator

Re: How to configure GSUITE as SAML as IDentifie Provided

Yes. You're right. 😊

 

It's under Authentication -> Signing In > Sign-in Policies >> User URLs. Check to which sign-in URL you have mapped the SAML realm. If it's under */ URL, then you can update the ACS URL as https://test.mydomain.com/. If not, please add the exact URL string (*/<string>) as ACS URL.

Pulse Connect Secure Certified Expert
Contributor

Re: How to configure GSUITE as SAML as IDentifie Provided

Hi,

 

I have */ and I change in Gsuite configuration but I can't resolve.

 

Thanks

Marco

Highlighted
Moderator
Moderator

Re: How to configure GSUITE as SAML as IDentifie Provided

What is the error message you're receiving after providing the credentials?

 

Is it something like "Invalid Sign-in URL"?

Pulse Connect Secure Certified Expert
Moderator

Re: How to configure GSUITE as SAML as IDentifie Provided

do you have a role mapping rule in place to allow all users on your test realm?
what does your policy trace show for the login failure?
Contributor

Re: How to configure GSUITE as SAML as IDentifie Provided

Hi Marco,

 

Is it possible to configure GSuite on a separate Sign-In URL such as say */gsuite and try again?

 

 

Contributor

Re: How to configure GSUITE as SAML as IDentifie Provided

Hi,

thanks for the reply. 

I have configured but did't work. 

 

Please what are all steps (in order) to configure correctly SAML w9ith GSUITE?

 

Es

1) set SMAL Server in configuration -> SAML -> Setting

2) New metadata provider in Configuration -> SAML

 

etc...

 

Thanks

Moderator

Re: How to configure GSUITE as SAML as IDentifie Provided

I would recommend opening a case with support to work through the configuration live and do testing.
i have checked and they have a time-limited trial. i will try to work on it over the weekend using the trial.