Configuring your G Suite domain with SURFconext
In this tutorial, we will use the fictional Google G Suite domain of "myuniversity.com". This should be changed to your institutions G Suite domain name which you configured when creating your G Suite instance.
Note: uploading a file in the form (the certificate) may reset other, not yet saved, changes made in the form.
- Login to the Google G Suite administrative interface located at https://admin.google.com/myuniversity.com
- Go to Security → Set up single sign-on (SSO)
- Configure the fields as follows (see the screenshot below):
- Check the "Setup SSO with third party identity provider" checkbox
Sign-in page URL:
Sign-out page URL:
This will destroy the login session of the user at the SURFconext. However, it is likely that the user has more active sessions that would allow him to re-enter G Suite without providing his username and password. Therefore, the strong security advise is given to close the browser. This would destroy all the user's session cookies and effectively logging the user out.
- Change Password URL
This field should point to your institution's change password page. See also the section here below
This contains the file containing the SURFconext signing certificate. Use this file with the following certificate or browser to https://metadata.surfconext.nl/ where you will find it under Security (engine.surfconext.nl 20181213 certificate):
- Use a domain specific issuer
Make sure to check this box. This enables SURFconext to distinguish between all connected G Suite domains.
- Register your G Suite domain with SURFconext using the SP Dashboard. Send a mail to email@example.com to gain access to the dashboard. Make sure you have the following at hand:
- There is no metadata file in G Suite. Please contact firstname.lastname@example.org if you are uncertain about what to use in the SP Dashboard.
- The attribute(s) that is used to provision your users to G Suite. You can review the available attributes here. Attributes like or combination of attributes like "urn:mace:dir:attribute-def:mail", "urn:mace:dir:attribute-def:uid", "urn:mace:terena.org:attribute-def:schacHomeOrganization" and more are used for this service across SURFconext. Consider them wisely. Also specify if additional processing is necessary, for example because some attributes are multi-valued and do not always contain the correct email domain.
- This is a Single Tenant service. We can make sure this instance is hidden in Dashboards for other IdP's. On request you can whitelist IdP(s) that need access to your G Suite domain.