SAML Configuration Example: Google Apps


SAML Configuration Example: Google Apps

This example illustrates how to configure Google Apps as the Identity Provider (IdP) for the Zscaler service. Refer to the Google Apps documentation for additional information about the steps in the example.

Prerequisites

Ensure that you have the following before you start the configuration:

Configuring the Zscaler Service in Google Apps

To configure the Zscaler service in Google:

  1. Log in to your Google account. Open the Google apps menu and click Admin to go to the Admin console.  

Screenshot showing what button to press in order to open Google Apps

  1. In the Admin console page, click the Apps icon.

Screenshot showing which icon to press in order to open Apps

  1. In the APPS SETTINGS page, click the SAML apps icon.

Screenshot showing which icon to press in order to open SAML Apps

  1. Click Add a service/App to your domain.

Screenshot showing the link to click on in order to add a service/App to your domain.

  1. In the Enable SSO for SAML Application step, click SETUP MY OWN CUSTOM APP.

Screenshot showing which link to click on to setup custom app

  1. In the Google IdP Information step, do the following, then click NEXT.
    • Copy the SSO URL. You will paste this in the Admin Portal when configuring the Zscaler service for SAML in step 3.
    • Download the Certificate.  

Screenshot showing which URL should be copied over and a link to download the security certificate

  1. In the Basic Information for your Custom App step, specify an Application Name, then click NEXT.  

Screenshot showing how to fill in basic information about your app

  1. In the Service Provider Details step, complete the following fields, and then click NEXT.
    • ACS URL: Enter the Zscaler SSO URL as https://login.<Zscaler cloud name>.net:443/sfc_sso.
      • In place of <Zscaler cloud name> above, enter the name of the cloud on which your organization is provisioned. In this example, the Zscaler SSO URL is https://login.zscalerone.net:443/sfc_sso. 
        To learn more, see What is my cloud name?  
    • Entity ID: Enter your Zscaler cloud name. In this example, the Entity ID is zscalerone.net.

Screenshot with a marked box showing to fill in the ACS URL and Entity ID

  1. In the Attribute Mapping section, click ADD NEW MAPPING to configure the following attributes, and then click FINISH.
    • In the Enter the application attribute field, enter displayName. Select Basic Information and Primary Email.
    • In the Enter the application attribute field, enter department. Select Employee Details and Department
      In the example below, these values have already been entered.

Screenshot showing Attribute Mapping section with Add New Mapping button circled

  1. Click the overflow menu icon and click ON for everyone, then click TURN ON FOR EVERYONE.

Screenshot showing how to turn on the mapping for everyone

Configuring the Zscaler Service for SAML

To configure the Zscaler service, do the following:

  1. Go to Administration > Authentication Settings.
  2. From Authentication Type, choose SAML and click Configure SAML.
  3. In the Edit SAML window, enter the SSO URL in the SAML Portal URL field, and upload the certificate.

The SSO URL and the certificate are found in the Google IdP Information window when you configured the Zscaler Service in Google in step 6.

To learn more, see How do I configure SAML?

Configuring the Authentication Bypass List

To enable users to access Google Apps, do the following:

  1. Go to Administration > Advanced Settings.
  2. In the Authentication Bypass section, add accounts.google.com to the Bypassed URLs field.
  3. Click Save and activate the change.

If you are using PAC files, ensure that you add accounts.google.com to the bypass list in the PAC files, otherwise authentication will fail.

     	If (shExpMatch(host, "accounts.google.com"))
	return "DIRECT";

Testing the Configuration

If you are already logged in to the Zscaler service, browse to https://login.<Zscaler cloud name>.net/zscaler.portal (and replace <Zscaler cloud name> with your cloud name), and click Logout. To learn more, see What is my cloud name?

Ensure that your traffic is being forwarded to the Zscaler service and browse to a web site. When prompted for authentication, provide your Google login credentials to login. If an error occurs, see SAML Troubleshooting Guidelines.