...
- Login to the Google G Suite administrative interface located at https://admin.google.com/myuniversity.com
- Go to Security → Set up single sign-on (SSO)
- Configure the fields as follows (see the screenshot below):
- Check the "Setup SSO with third party identity provider" checkbox
Sign-in page URL:
Code Block language text https://engine.surfconext.nl/authentication/idp/single-sign-on/key:20181213
Sign-out page URL:
Code Block language text https://engine.surfconext.nl/logout
This will destroy the login session of the user at the SURFconext. However, it is likely that the user has more active sessions that would allow him to re-enter G Suite without providing his username and password. Therefore, the strong security advise is given to close the browser. This would destroy all the user's session cookies and effectively logging the user outis an informative page telling the user to log out by closing their browser.
- Change Password URL
This field should point to your institution's change password page. See also the section here below Verification Certificate
This contains the file containing the SURFconext signing certificate. Use this file with the following certificate or browser to https://metadata.surfconext.nl/ where you will find it under Security (engine.surfconext.nl 20181213 certificate):Code Block -----BEGIN CERTIFICATE----- MIID7DCCAtSgAwIBAgIJAIgMqnMYZ+t6MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD VQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMG A1UECgwMU1VSRm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSYwJAYDVQQD DB1lbmdpbmUuc3VyZmNvbmV4dC5ubCAyMDE4MTIxMzAeFw0xODEyMTMxNTI5MjBa Fw0yMzEyMTMxNTI5MjBaMIGFMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNo dDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VSRm5ldCBCLlYuMRMwEQYD VQQLDApTVVJGY29uZXh0MSYwJAYDVQQDDB1lbmdpbmUuc3VyZmNvbmV4dC5ubCAy MDE4MTIxMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOGS+fBERf mWiV8aV85z45QsuFw3gkq0HbWR1JGz7cjqhjV6YZHFXyRt4ikG//9BIHS0xc/cW1 sOMnSuCjDhY8Oh/dOk01zfgFXUcv+0iNlkEKGMlT/xJpIDIy/N4WjpGvkJO2oJHf rQUY115Du56MSMqd0gPvo1OsDvXroYivqxYpTTHzaf5TYQYPf6n/3rEfsu3u6L3p zE3/q38jnEyxfQ1UoZ9VF2Fy6oe/StlwhPUJhVwHlKDMqQ+T+tljDt26Ok9QL3zz W9JtBo+pnydMT/rg5h7NW8A9HASLnRLK8rFD9nBEdAPkK+elTE6QddRiTh9H84KC s0fQiiT6YFsCAwEAAaNdMFswHQYDVR0OBBYEFAJuZa7u0f0o2kB9uRPoB/ekx04s MB8GA1UdIwQYMBaAFAJuZa7u0f0o2kB9uRPoB/ekx04sMAsGA1UdDwQEAwIHgDAM BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBXh5l8u+ncPXkMyDqDuikN Le/X5j0KNjvqUtQ6QPRSt8MMvjRYWZdVC0gMOtKEAY1/cYnA2y+0yrGqmy9I/zBd LV73BBLnVlV2WYATYOZLWNW36kjBtdSbH0oXBp7HOu/I4lP+Sv69eRN6p2/9CmDy Kc5JUpXU3PEftv5Lwsqco8MMqqENhwzYlxRb96LFq08Un2QQoV60HqX4Ks79qUrn jRL5pKtoP4ujLmPqQIieHpTgsvHSqSa+9tZMnyEaJEvl7vpNn1M7v1bWOWwjQvMl YnSq5b0U5gHXgpdBYSfWnCwwpq4h8KHZ7/XVvOVsdYpjHap+907OGhqXGBsIqf9U -----END CERTIFICATE-----
- Use a domain specific issuer
Make sure to check this box. This enables SURFconext to distinguish between all connected G Suite domains.
- Register your G Suite domain with SURFconext using the SP Dashboard. Send a mail to support@surfconext.nl to gain access to the dashboard. Make sure you have the following at hand:
- There is no metadata file in G Suite. Please contact support@surfconext.nl if you are uncertain about what to use in the SP Dashboard.
- The attribute(s) that is used to provision your users to G Suite. You can review the available attributes here. Attributes like or combination of attributes like "urn:mace:dir:attribute-def:mail", "urn:mace:dir:attribute-def:uid", "urn:mace:terena.org:attribute-def:schacHomeOrganization" and more are used for this service across SURFconext. Consider them wisely. Also specify if additional processing is necessary, for example because some attributes are multi-valued and do not always contain the correct email domain.
- This is a Single Tenant service. We can make sure this instance is hidden in Dashboards for other IdP's. On request you can whitelist IdP(s) that need access to your G Suite domain.
...