6.3 Configuring SSO with Google (SAML)

If your organisation uses Google, you can configure Google as an IdP provider to provide SSO access to various Thredd services. For example, you can use SSO to access Thredd Services, such as Thredd Portal. This page describes the steps for using the 2.0 version of Security Assertion Markup Language (SAML) protocol for setting up SSO.

As a client, you would already have an account on the Google Admin Console.

Setting up SSO is not mandatory, but is recommended.

6.3.1 Summary of Steps

The steps involve:

  • Creating a SAML app for your SSO connection to Thredd services.
  • Choosing either to download IdP metadata or to add configurations from Thredd. If you add configurations from Thredd, you include the SSO URL and the Entity ID.
  • Mapping fields associated with the users defined by Google to those used by your app.
  • Assigning access permission on your app.

6.3.2 Configuring SSO

  1. Log in to the Google Admin console.
  2. Select Apps > Web and mobile apps.

  1. Click on Add app and select Add custom SAML app
  2. Enter a name for the app that accesses Thredd services in App name and click Continue. The next page appears.

  1. To download the metadata, click Download Metadata and save the file. Then share the file with Thredd. Once done, go to step 7.

  2. To include entity ID and URL details:

    1. Add the URL in SSO URL.
    2. Add in the Entity ID in Entity ID. A certificate and a SHA-256 fingerprint appear. These are generated automatically on the console.

  1. Click Continue
  2. Configure attribute mapping.
    1. Click the Add Mapping button.
    2. Select a group in Google directory attributes and choose a group in App attributes.
    3. To add another entry, click the Add Mapping button again and repeat the step for choosing both attributes.

The following shows an example.

  1. Click Finish.
  2. Once completed, select access permission options (see the following procedure).

Setting Access Permission Options

You can set access permission options for the app based on anyone who holds a Google account, membership of specific Google groups, and Organisational units. An organisational unit is a named organisation within Google.

  1. To provide access to anyone who holds a corporate Google account, select All users in this account on the left hand menu. Then choose ON for everyone in the main screen.

  1. To provide access to members of a selected group:
    1. Select Groups on the left hand menu.
    2. Select a group.
    3. Select ON for everyone in the main screen.

  1. To provide access to members of specific Organisational units:
    1. Select Organisational units on the left hand menu.
    2. Select an Organisational unit.
    3. Select ON for everyone in the main screen.