Set up Google G Suite as the SP and EAA as the IdP

This procedure describes how to set up the G Suite application as a service provider (SP) and EAA as the identity provider (IdP).

Complete the following steps to configure G Suite as the SP and EAA as the IdP.

How to

  1. Access G Suite to set up an admin account.
    1. G Suite requires you to have admin access to your domain. You can buy a domain from a third-party provider such as GoDaddy.com.
    2. Ask your EAA account administrator for access to the SaaS application feature.
  2. Configure EAA as the IdP for a custom SaaS application.
    1. Under the SAML SETTINGS tab, go the IDP info section.
    2. Copy the prepopulated Entity ID, Single SignOn (ACS) URL, Single Logout URL, and Signing certificate information. You need this data to configure the G Suite SP.

      G Suite EAA IdP into settings
    3. Do not deploy the application at this time. You need to fill out the SAML settings field with G Suite data before you can deploy.
  3. Configure G Suite as the SP.
    1. Sign in to G Suite using your admin account. Click Security on the Admin console.

      G Suite Admin console
    2. Click Set up single sign-on (SSO) in the Security subsection.
    3. Update the Sign-in page URL field value with the value found in the Single SignOn (ACS) URL field from the SAML Settings IDP info section highlighted in Step 2b.
    4. Update the Sign-out page URL field with your login portal hostname (for example, https://jp-t3.login.stage.akamai-access.com/api/v2/logout).
    5. Upload the verification certificate from Step 2b.
    6. Leave the rest of the settings unchanged.
    7. Click Save Changes. The configuration should look similar to this example.

      G Suite Setup SSO with third-party vendor page
  4. Go back to the EAA application you started in Step 2.
    1. Navigate to the SAML SETTINGS tab.
    2. Update the SAML Settings fields on the as follows:
      Field Value
      EntityID google.com
      Single SignOn (ACS) URL https://www.google.com/a/t3akamai.com/acs (replace with your domain name)
      NameID Format email
      NameID Attribute user.email
      Default Relay State / (required)
      Signed Request Unchecked (not supported by Google)
      Response Encryption Unchecked (not supported by Google)
      Response Signature Algorithm N.A (leave default)
      Single LogOut Binding Redirect
      Single LogOut URL https://accounts.google.com/Logout
      Verify Single LogOut Checked

      Here is a sample configuration.


      G Suite EAA sample SAML settings
    3. Click Save and go to Deployment.
    4. On the DEPLOYMENT tab, click Deploy application.
  5. Verify the EAA IdP initiation.
    1. Access the Identity Portal URL and log in using your AD credentials.
    2. Click the icon for the G Suite application. This will open a new tab and provide users a session without requesting login credentials.
    3. When the end user logs out from the Identity Portal, the session with the G Suite application is also ended.
  6. Verify the G Suite SP initiation.
    1. Access the Google application using your domain and specific service. For example: https://www.google.com/a/t3akamai.com/ServiceLogin?continue=https://mail.google.com.
    2. Users are redirected to the EAA login page. Upon successful login, users can access the Google app.