Page tree
Skip to end of metadata
Go to start of metadata

Configuring your G Suite domain with SURFconext

In this tutorial, we will use the fictional Google G Suite domain of "myuniversity.com". This should be changed to your institutions G Suite domain name which you configured when creating your G Suite instance.

Note: uploading a file in the form (the certificate) may reset other, not yet saved, changes made in the form.


  1. Login to the Google G Suite administrative interface located at https://admin.google.com/myuniversity.com
  2. Go to Security  → Set up single sign-on (SSO) 
  3. Configure the fields as follows (see the screenshot below):
    1. Check the "Setup SSO with third party identity provider" checkbox
    2. Sign-in page URL:

      https://engine.surfconext.nl/authentication/idp/single-sign-on/key:20181213
    3. Sign-out page URL:

      https://engine.surfconext.nl/logout
      

      This will destroy the login session of the user at the SURFconext. However, it is likely that the user has more active sessions that would allow him to re-enter G Suite without providing his username and password. Therefore, the strong security advise is given to close the browser. This would destroy all the user's session cookies and effectively logging the user out.

    4. Change Password URL
      This field should point to your institution's change password page. See also the section here below
    5. Verification Certificate
      This contains the file containing the SURFconext signing certificate. Use this file with the following certificate or browser to https://metadata.surfconext.nl/ where you will find it under Security (engine.surfconext.nl 20181213 certificate):

      -----BEGIN CERTIFICATE-----
      MIID7DCCAtSgAwIBAgIJAIgMqnMYZ+t6MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
      VQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMG
      A1UECgwMU1VSRm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSYwJAYDVQQD
      DB1lbmdpbmUuc3VyZmNvbmV4dC5ubCAyMDE4MTIxMzAeFw0xODEyMTMxNTI5MjBa
      Fw0yMzEyMTMxNTI5MjBaMIGFMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNo
      dDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VSRm5ldCBCLlYuMRMwEQYD
      VQQLDApTVVJGY29uZXh0MSYwJAYDVQQDDB1lbmdpbmUuc3VyZmNvbmV4dC5ubCAy
      MDE4MTIxMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOGS+fBERf
      mWiV8aV85z45QsuFw3gkq0HbWR1JGz7cjqhjV6YZHFXyRt4ikG//9BIHS0xc/cW1
      sOMnSuCjDhY8Oh/dOk01zfgFXUcv+0iNlkEKGMlT/xJpIDIy/N4WjpGvkJO2oJHf
      rQUY115Du56MSMqd0gPvo1OsDvXroYivqxYpTTHzaf5TYQYPf6n/3rEfsu3u6L3p
      zE3/q38jnEyxfQ1UoZ9VF2Fy6oe/StlwhPUJhVwHlKDMqQ+T+tljDt26Ok9QL3zz
      W9JtBo+pnydMT/rg5h7NW8A9HASLnRLK8rFD9nBEdAPkK+elTE6QddRiTh9H84KC
      s0fQiiT6YFsCAwEAAaNdMFswHQYDVR0OBBYEFAJuZa7u0f0o2kB9uRPoB/ekx04s
      MB8GA1UdIwQYMBaAFAJuZa7u0f0o2kB9uRPoB/ekx04sMAsGA1UdDwQEAwIHgDAM
      BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBXh5l8u+ncPXkMyDqDuikN
      Le/X5j0KNjvqUtQ6QPRSt8MMvjRYWZdVC0gMOtKEAY1/cYnA2y+0yrGqmy9I/zBd
      LV73BBLnVlV2WYATYOZLWNW36kjBtdSbH0oXBp7HOu/I4lP+Sv69eRN6p2/9CmDy
      Kc5JUpXU3PEftv5Lwsqco8MMqqENhwzYlxRb96LFq08Un2QQoV60HqX4Ks79qUrn
      jRL5pKtoP4ujLmPqQIieHpTgsvHSqSa+9tZMnyEaJEvl7vpNn1M7v1bWOWwjQvMl
      YnSq5b0U5gHXgpdBYSfWnCwwpq4h8KHZ7/XVvOVsdYpjHap+907OGhqXGBsIqf9U
      -----END CERTIFICATE-----
    6. Use a domain specific issuer
      Make sure to check this box. This enables SURFconext to distinguish between all connected G Suite domains.

  4. Register your G Suite domain with SURFconext using the SP Dashboard. Send a mail to support@surfconext.nl to gain access to the dashboard. Make sure you have the following at hand:
    1. There is no metadata file in G Suite. Please contact support@surfconext.nl if you are uncertain about what to use in the SP Dashboard.
    2. The attribute(s) that is used to provision your users to G Suite. You can review the available attributes here. Attributes like or combination of attributes like "urn:mace:dir:attribute-def:mail", "urn:mace:dir:attribute-def:uid", "urn:mace:terena.org:attribute-def:schacHomeOrganization"  and more are used for this service across SURFconext. Consider them wisely. Also specify if additional processing is necessary, for example because some attributes are multi-valued and do not always contain the correct email domain.
    3. This is a Single Tenant service. We can make sure this instance is hidden in Dashboards for other IdP's. On request you can whitelist IdP(s) that need access to your G Suite domain.