I configured only G SUITE as IdP, I don't have LDAP server configured, and I could not configure one.
I would like to use only GSUITE with groups.

For this, I must configure a Service Provider? 

Do you know as configure GSUITE for return the groups info? In Pulse how must set? Only samlMultiValAttr.groups as expression in role mapping.

Thanks for the support

You can configure custom attributes for users in GSuite. You could possibly include group information in custom attributes. Below is a procedure that is copied from my article long back, but things might have changed. Please let me know if this works for you.

How to create custom attributes in G Suite

Following is the procedure to create SAML custom attributes in G Suite:

• Go to admin.google.com and login as Administrator of an account
• Click on Main Menu  , and then on Users
   
  
  
• Click on Manage attributes button 
• Notice the User attributes page opens up (as shown below):

• There, click on ADD CUSTOM CATEGORY (lower left)
• Enter Attribute values as shown below (rather something similar):

• Click on Save
• Then, click on a user in the list
• Click on Account
• Click on Manage user attributes -> Edit link
• Enter a value for the attribute as below:

• Click on UPDATE USER
• Go to your SAML App (from main window of admin.google.com -> Apps -> SAML Apps -> <your configured App>)
• Click on Attribute Mapping and then on ADD NEW MAPPING
• Enter the following details:

Configuring PSA Box to use the attribute

Below is the procedure to use the above attribute in SP configured at PSA (It is assumed that PSA's SP Configuration is al-ready done):

• Go to Authentication -> Auth. Servers -> <configured SAML Server>
• Click on the box beside User Name Template and enter the following:

• Click on Save Changes
• Login using any standard browser, to your SAML endpoint at PSA
• Notice the following appears at the user name section:

Configuring mapping of SAML attributes to Roles in PSA Box

SAML User attributes can also be mapped to Roles at the PSA Box. This would make it easier for providing more flexible and granular access control rules over the SAML subject. This can be done as follows:

• Go to Users -> User Realms -> SAML Realm
• Click on Role Mapping
• Click on New Rule
• Select Custom Expressions beside Rule based on text, and click on Update
• Enter a name beside Name section
• Click on the Expressions button
• A new popup will be opened, with the Expressions creation procedure
• Enter a name in the Name section
• Under the Expressions Dictionary, select userAttr.<auth-attr>
• Select an operator (preferably =)
• Click on Insert Expression

• In the Expression box, the following would appear:
  
  

  userDN.<user-attr> = <ANY>

• Change it to as follows:

  userDN.my_map = 'Pulse Secure Desktop QA Team'

• Click on Add Expression

• Click on Add -> beside the Available Expressions box

• Select SAML Role, and click on Add -> box

• Click on Save Changes

• Now login to the SAML endpoint of PSA, and then, to the G Suite login page

• Notice that if the user has an attribute with value Pulse Secure Desktop QA Team, she is allowed to login

Please let me know if this is useful. In case it is, then this could be published with the images in our public portal

Hi csuchindra,

thank you so much for your reply.

This is a good solution but is not my request.

In this solution, I can't use groups but custom attribute.

I need to use groups to manage them by GSUITE and not by PULSE.

Thanks.

Marco Ferrara

Hi zanyterp, 

how can I set expresison in Pulse to receive email from SAML respond and query my LDAP to check if this email is a ggroup set in the role mapping?