Set up Google G Suite as the SP and EAA as the IdP
This procedure describes how to set up the G Suite application as a service provider (SP) and EAA as the identity provider (IdP).
Complete the following steps to configure G Suite as the SP and EAA as the IdP.
Access G Suite to set up an admin account.
- G Suite requires you to have admin access to your domain. You can buy a domain from a third-party provider such as GoDaddy.com.
- Ask your EAA account administrator for access to the SaaS application feature.
Configure EAA as the IdP for a custom
- Under the SAML SETTINGS tab, go the IDP info section.
Copy the prepopulated Entity ID,
Single SignOn (ACS) URL, Single
Logout URL, and Signing
certificate information. You need this data to configure
the G Suite SP.
- Do not deploy the application at this time. You need to fill out the SAML settings field with G Suite data before you can deploy.
Configure G Suite as the SP.
Sign in to G Suite using your admin account. Click
Security on the Admin console.
- Click Set up single sign-on (SSO) in the Security subsection.
- Update the Sign-in page URL field value with the value found in the Single SignOn (ACS) URL field from the SAML Settings IDP info section highlighted in Step 2b.
- Update the Sign-out page URL field with your login portal hostname (for example, https://jp-t3.login.stage.akamai-access.com/api/v2/logout).
- Upload the verification certificate from Step 2b.
- Leave the rest of the settings unchanged.
Click Save Changes. The configuration should
look similar to this example.
- Sign in to G Suite using your admin account. Click Security on the Admin console.
Go back to the EAA
application you started in Step 2.
- Navigate to the SAML SETTINGS tab.
Update the SAML Settings
fields on the as follows:
Field Value EntityID http://google.com Single SignOn (ACS) URL https://www.google.com/a/t3akamai.com/acs (replace with your domain name) NameID Format NameID Attribute user.email Default Relay State / (required) Signed Request Unchecked (not supported by Google) Response Encryption Unchecked (not supported by Google) Response Signature Algorithm N.A (leave default) Single LogOut Binding Redirect Single LogOut URL https://accounts.google.com/Logout Verify Single LogOut Checked
Here is a sample configuration.
- Click Save and go to Deployment.
- On the DEPLOYMENT tab, click Deploy application.
Verify the EAA
- Access the Identity Portal URL and log in using your AD credentials.
- Click the icon for the G Suite application. This will open a new tab and provide users a session without requesting login credentials.
- When the end user logs out from the Identity Portal, the session with the G Suite application is also ended.
Verify the G Suite SP initiation.
- Access the Google application using your domain and specific service. For example: https://www.google.com/a/t3akamai.com/ServiceLogin?continue=https://mail.google.com.
- Users are redirected to the EAA login page. Upon successful login, users can access the Google app.