cancel
Showing results for 
Search instead for 
Did you mean: 

Role Mapping using a GSUITE groups

Occasional Contributor

Role Mapping using a GSUITE groups

Hi, 

I set a SAML authentication with GSUITE from PSA5000.

 

Now if I set in Role Mapping a single email, I can authenticate, but I need to set the groups and not the single user for Roles. Is it possible? How?

 

Thanks for the support.

Marco

8 REPLIES 8
Moderator
Moderator

Re: Role Mapping using a GSUITE groups

Role mapping using LDAP server:

1. Configure a LDAP auth instance on the VPN.

2. Map it as "Authorization" server under SAML user realm.

3. Now after authentication, VPN will use the username to check with LDAP server to pull the group memberships.

4. Create role mapping rules with group memberships to assign the user role for the user roles.


Role Mapping using SAML assertion (attribute):

1. If Gsuite can be configured to do a directory sync with your on-prem AD server, then you have to configure Gsuite to send the group membership values as "Assertion Attributes" on the SAML response.

2. Role mapping can be configured to look for specific attribute value and assign the user roles to the users.
Highlighted
Occasional Contributor

Re: Role Mapping using a GSUITE groups

Hi,

thanks a lot for your reply, but I'm confused.

 

Can I use GSUITE as LDAP and configure it in PULSE to enable login by email and set permission by Groups?

 

Thanks

Marco

Moderator
Moderator

Re: Role Mapping using a GSUITE groups

I don't think Gsuite will allow you configure it as LDAP instance, hence we can create a new LDAP instance for your on-prem Domain controller (DC) and add it as an Authorization server on the user realm (when authentication is done by Gsuite SAML) and we can pull groups from your DC to do the role Mapping.
Occasional Contributor

Re: Role Mapping using a GSUITE groups

Hi Ray,
thanks for your reply, but I'm confusing.

If I set a LDAP DC, after how can use the email gsuite to add they in the groups on LDAP?
Moderator
Moderator

Re: Role Mapping using a GSUITE groups

How the Gsuite verifies the user accounts during the authentication process, is there any sync between the Gsuite and DC?

Does the users have account with the same email address under your DC, associated with Group memberships?

If yes, we can use the assertion returned by the Gsuite (email address of the user) to pull the group memberships and do the role mapping.
Occasional Contributor

Re: Role Mapping using a GSUITE groups

Hi Ray,

thank you so much for your reply.

 

The problem is that I like use GSUITE for not use Domain Controller, because more users are only email on GSUITE and not have user on Domain Controller, and I have different AD domains that I'll must manage under Pulse. 

 

My best solution is will use only GSUITE, but for easy assign roles to users, I thought to use associaton in role mapping with GSUITE groups, and not insert all single emails in role mapping.

 

Moderator
Moderator

Re: Role Mapping using a GSUITE groups

Ok. Got it. Smiley Happy

We have to configure the Gsuite to send the GROUP values as assertion attribute in the SAML response. Please check with Gsuite team for how to configure/allow it.

If the Gsuite can be configured to do so, then we can configure the VPN server to do the role mapping based on the returned values.
Occasional Contributor

Re: Role Mapping using a GSUITE groups

the problem is that GSUITE doesn't want to give me assistance! Smiley Sad