I configured only G SUITE as IdP, I don't have LDAP server configured, and I could not configure one.
I would like to use only GSUITE with groups.
For this, I must configure a Service Provider?
Do you know as configure GSUITE for return the groups info? In Pulse how must set? Only samlMultiValAttr.groups as expression in role mapping.
Thanks for the support
You can configure custom attributes for users in GSuite. You could possibly include group information in custom attributes. Below is a procedure that is copied from my article long back, but things might have changed. Please let me know if this works for you.
Following is the procedure to create SAML custom attributes in G Suite:
Below is the procedure to use the above attribute in SP configured at PSA (It is assumed that PSA's SP Configuration is al-ready done):
SAML User attributes can also be mapped to Roles at the PSA Box. This would make it easier for providing more flexible and granular access control rules over the SAML subject. This can be done as follows:
In the Expression box, the following would appear:
userDN.<user-attr> = <ANY>
Change it to as follows:
userDN.my_map = 'Pulse Secure Desktop QA Team'
Click on Add Expression
Click on Add -> beside the Available Expressions box
Select SAML Role, and click on Add -> box
Click on Save Changes
Now login to the SAML endpoint of PSA, and then, to the G Suite login page
Notice that if the user has an attribute with value Pulse Secure Desktop QA Team, she is allowed to login
thank you so much for your reply.
This is a good solution but is not my request.
In this solution, I can't use groups but custom attribute.
I need to use groups to manage them by GSUITE and not by PULSE.
how can I set expresison in Pulse to receive email from SAML respond and query my LDAP to check if this email is a ggroup set in the role mapping?