Hi good morning,
I have two PSA5000 in Active/PAssive cluster.
Now I like to configure access to SSLVPN by GSUITE user and not local user.
I search documentation, but I can't configure it.
I did these steps
1) On Pulse
In System -> SAML -> Setting test.mydomain.com
2) On GSUITE
Create in App Settings SAML server with this config:
ACS URL = https://test.mydomain.com/dana/home/index.cgi (my login page of sslvpn)
Entity ID = https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1 (see in Auth Servers > GSUITE_SAML > Settings Connect Secure Entity Id)
Email - Basic Information - Primary Email
FirstName - Basic Information - First Name
LastName - Basic Information - Last Name
3) ON PUlse
Auth Servers > GSUITE_SAML > Settings
SAML Version: 2.0
Connect Secure Entity Id: https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Configuration Mode: Manual Manual
Identity Provider Entity Id: https://accounts.google.com/o/saml2?idpid=xxxxxxxxx
Identity Provider Single Sign On Service URL: https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx
4) On Pulse
in Sign-in Policy Set USers to use GSUITE_SAML created before.
When I try to connect to https://test.mydomain.com I see the GSUITE autenticationm insert email and password, and after the system don't redirect to sslvpn home page
Could we help me please?
Solved! Go to Solution.
It seems that you have configured the ACS URL incorrectly on the GSuite (IDP) side.
thank you so much for your reply.
I changed the ACS url but I don't understand where I can see how I set the mapped the SAML realm to */ sign-in URL on the VPN server.
Is it in Authentication -> Signing In > Sign-in Policies
Yes. You're right. 😊
It's under Authentication -> Signing In > Sign-in Policies >> User URLs. Check to which sign-in URL you have mapped the SAML realm. If it's under */ URL, then you can update the ACS URL as https://test.mydomain.com/. If not, please add the exact URL string (*/<string>) as ACS URL.
What is the error message you're receiving after providing the credentials?
Is it something like "Invalid Sign-in URL"?
Is it possible to configure GSuite on a separate Sign-In URL such as say */gsuite and try again?
thanks for the reply.
I have configured but did't work.
Please what are all steps (in order) to configure correctly SAML w9ith GSUITE?
1) set SMAL Server in configuration -> SAML -> Setting
2) New metadata provider in Configuration -> SAML