SAML Configuration Guide for Google Apps


SAML Configuration Guide for Google Apps

This guide illustrates how to configure Google Apps as the Identity Provider (IdP) for the Zscaler service. See the Google Apps documentation for additional information about the steps in the example.

Prerequisites

Ensure that you have the following to configure Google Apps as the IdP:

  • Google Apps account with admin privileges
  • The Zscaler public certificate (See Configuring SAML)

Configuring Google Apps as the IdP for the Zscaler Service

To configure Google Apps as the IdP for the Zscaler Service:

Testing the SAML Configuration

To test the SAML configuration with Google Apps:

  1. If you're already logged in to the Zscaler service, browse to https://login.<Zscaler Cloud>.net/zscaler.portal, and click Logout. Replace <Zscaler Cloud> with your Zscaler cloud name. To learn how you can find your cloud name, see What is my cloud name?
  2. Ensure that your traffic is being forwarded to the Zscaler service and then browse to a website.
  3. When prompted for authentication, enter your Google login credentials.

Troubleshooting

If any errors occur, see Troubleshooting SAML to troubleshoot browser settings and SAML error codes.

To configure the Zscaler service in Google Apps:

  1. Log in to your Google account. Open the Google apps menu, then click the Admin app to go to the Admin console.
    See image.
  2. In the Admin console page, click the Apps.
    See image.
  3. In the Apps page, click the SAML apps.
    See image.
  4. In the SAML apps page, click Add a service/App to your domain.
    See image.
  5. In the Enable SSO for SAML Application step, click SETUP MY OWN CUSTOM APP.
    See image.
  6. In the Google IdP Information step, do the following, then click NEXT.
    See image.
    • SSO URL: Copy the SSO URL to your clipboard. You will paste this in step c of 2. Configure SAML in the Zscaler Admin Portal.
    • Certificate: Download the Google IdP SSL certificate. Navigate to the certificate, and ensure the following:
      • The certificate file name has a .pem extension. (For example, rename it to googleapps.pem.) The Zscaler service only accepts certificates with the .pem extension.
      • The file name contains one dot (".") only.

You will upload this in step d of 2. Configure SAML in the Zscaler Admin Portal.

  1. In the Basic Information for your Custom App step, enter an Application Name (e.g., Zscaler), then click NEXT.
    See image.
  2. In the Service Provider Details step, do the following, then click NEXT.
    See image.
    • ACS URL: Enter the following Zscaler SSO URL:
https://login.<Zscaler Cloud>:443/sfc_sso

Replace <Zscaler Cloud> with the name of the cloud, which your organization is provisioned on. In this example, the Zscaler SSO URL is https://login.zscalerone.net:443/sfc_sso. To learn how you can find your cloud name, see What is my cloud name?

  • Entity ID: Enter your Zscaler cloud name. In this example, it's zscalerone.net. To learn how you can find your cloud name, see What is my cloud name?  
  1. In the Attribute Mapping step, do the following:
    1. Click ADD NEW MAPPING
    2. In the Enter the application attribute field, configure the following attributes:
      See image.
      • Enter "displayName", and select Basic Information and Primary Email.
      • Enter "department", and select Employee Details and Department.
    3. Click FINISH.
  2. Click the overflow menu, click ON for everyone, then click TURN ON FOR EVERYONE.
    See image.

To configure SAML in the Zscaler Admin Portal:

  1. In the Zscaler Admin Portal, go to Administration > Authentication Settings.
  2. Under Authentication Type, choose SAML, then click Configure SAML.

The Configure SAML window appears.

  1. In the Configure SAML window:
    • SAML Portal URL: Enter the Google SSO URL that you copied in step f of 1. Configure the Zscaler Service in Google Apps.
    • Public SSL Certificate: Upload the Google IdP SSL certificate that you copied in step f of 1. Configure the Zscaler Service in Google Apps. Ensure the following:
      • The certificate file name has a .pem extension. (For example, rename it to googleapps.pem.) The Zscaler service only accepts certificates with the .pem extension.
      • The file name contains one dot (".") only.
    • Sign SAML Request: Disable this option. Google Apps doesn't support signed SAML responses from the service provider.
  2. Click Save to exit the window.
  3. Click Save and activate the change.

To learn more about the other SAML settings, see Configure SAML.

To configure the Zscaler Authentication Exemptions list and enable users access to Google Apps:

  1. Go to Administration > Advanced Settings.
  2. In the Authentication Exemptions section, enter "accounts.google.com" in Exempted URLs.
  3. Click Save and activate the change.

If you are using PAC files, enter the following exception to the PAC file exemption list. Otherwise, the authentication will fail.

     	If (shExpMatch(host, "accounts.google.com"))
	return "DIRECT";

Screenshot showing what button to press in order to open Google Apps

Screenshot showing which icon to press in order to open Apps

Screenshot showing which icon to press in order to open SAML Apps

Screenshot showing the link to click on in order to add a service/App to your domain.

Screenshot showing which link to click on to setup custom app

Screenshot showing which URL should be copied over and a link to download the security certificate

Screenshot showing how to fill in basic information about your app

Screenshot with a marked box showing to fill in the ACS URL and Entity ID

Screenshot showing Attribute Mapping section with Add New Mapping button circled

Screenshot showing how to turn on the mapping for everyone