Showing results for 
Search instead for 
Did you mean: 

Role Mapping using a GSUITE groups


Re: Role Mapping using a GSUITE groups

If gSuite is the IdP, I think it should be the one providing the group detail in the assertion.
is there any type of correlation between the gSuite ID and the AD ID that you can use to do a query against your domain controller using LDAP (e.g. email or userPrincipalName)?

Re: Role Mapping using a GSUITE groups

I configured only G SUITE as IdP, I don't have LDAP server configured, and I could not configure one.
I would like to use only GSUITE with groups.


For this, I must configure a Service Provider? 

Do you know as configure GSUITE for return the groups info? In Pulse how must set? Only samlMultiValAttr.groups as expression in role mapping.


Thanks for the support


Re: Role Mapping using a GSUITE groups

i am not sure if gSuite allows access to groups or sends anything down for samlMultiValAttr

Re: Role Mapping using a GSUITE groups

You can configure custom attributes for users in GSuite. You could possibly include group information in custom attributes. Below is a procedure that is copied from my article long back, but things might have changed. Please let me know if this works for you.


How to create custom attributes in G Suite

Following is the procedure to create SAML custom attributes in G Suite:

  • Go to and login as Administrator of an account
  • Click on Main Menu main_menu.png , and then on Users

  • Click on Manage attributes button manage_attributes.PNG
  • Notice the User attributes page opens up (as shown below):


  • There, click on ADD CUSTOM CATEGORY (lower left)
  • Enter Attribute values as shown below (rather something similar):


  • Click on Save
  • Then, click on a user in the list
  • Click on Account
  • Click on Manage user attributes -> Edit link
  • Enter a value for the attribute as below:


  • Click on UPDATE USER
  • Go to your SAML App (from main window of -> Apps -> SAML Apps -> <your configured App>)
  • Click on Attribute Mapping and then on ADD NEW MAPPING
  • Enter the following details:


Configuring PSA Box to use the attribute

Below is the procedure to use the above attribute in SP configured at PSA (It is assumed that PSA's SP Configuration is al-ready done):

  • Go to Authentication -> Auth. Servers -> <configured SAML Server>
  • Click on the box beside User Name Template and enter the following:


  • Click on Save Changes
  • Login using any standard browser, to your SAML endpoint at PSA
  • Notice the following appears at the user name section:



Configuring mapping of SAML attributes to Roles in PSA Box


SAML User attributes can also be mapped to Roles at the PSA Box. This would make it easier for providing more flexible and granular access control rules over the SAML subject. This can be done as follows:

  • Go to Users -> User Realms -> SAML Realm
  • Click on Role Mapping
  • Click on New Rule
  • Select Custom Expressions beside Rule based on text, and click on Update
  • Enter a name beside Name section
  • Click on the Expressions button
  • A new popup will be opened, with the Expressions creation procedure
  • Enter a name in the Name section
  • Under the Expressions Dictionary, select userAttr.<auth-attr>
  • Select an operator (preferably =)
  • Click on Insert Expression
  • In the Expression box, the following would appear:

    userDN.<user-attr> = <ANY> 
  • Change it to as follows:

    userDN.my_map = 'Pulse Secure Desktop QA Team'
  • Click on Add Expression

  • Click on Add -> beside the Available Expressions box

  • Select SAML Role, and click on Add -> box

  • Click on Save Changes

  • Now login to the SAML endpoint of PSA, and then, to the G Suite login page

  • Notice that if the user has an attribute with value Pulse Secure Desktop QA Team, she is allowed to login


Re: Role Mapping using a GSUITE groups

Please let me know if this is useful. In case it is, then this could be published with the images in our public portal


Re: Role Mapping using a GSUITE groups

Hi csuchindra,

thank you so much for your reply.

This is a good solution but is not my request.


In this solution, I can't use groups but custom attribute.

I need to use groups to manage them by GSUITE and not by PULSE.



Marco Ferrara


Re: Role Mapping using a GSUITE groups

Hi zanyterp, 

how can I set expresison in Pulse to receive email from SAML respond and query my LDAP to check if this email is a ggroup set in the role mapping?