Page tree
Skip to end of metadata
Go to start of metadata

This article describes how to enable multi-factor authentication to the G-suite applications from Google. The configuration is done in two steps: first in Nexus Hybrid Access Gateway, and then in Google admin console. 

Expand/Collapse All

Prerequisites

 Prerequisites
  • Installed Hybrid Access Gateway
  • User accounts and authentication methods configured. See also: Set up Personal authentication.
  • Access rule (called for example Google Apps) set up that requires strong authentication, with for example Personal Mobile as authentication method.
  • Details for SAML federation:
    • Signing certificate for the SAML identity provider
    • EntityID for the service provider and identity provider
    • Redirect URL for the service provider

Configure G-Suite in Hybrid Access Gateway

In Hybrid Access Gateway, do the settings needed for the G-suite applications from Google.

 Go to Hybrid Access Gateway admin interface
  1. Log in to the Hybrid Access Gateway admin interface.
 Check certificate
  1. Go to Manage system > Certificates
  2. Scroll down to Registered Server Certificates
  3. Verify that the certificate to be used is available, for example: idp-cert.
 Add SAML federation
  1. Go to Manage Resource Access > SAML Federation.
  2. Click Add SAML Federation...
  3. Enter a Display Name, for example Google IDP.
  4. Check Acting as Identity Provider.
  5. Uncheck Import metadata automatically, since Google doesn’t use metadata as service provider.
  6. Go to the Export tab.
  7. Give a unique Entity ID: for example https://nexusville.com/cloudidp.
  8. Select the Signing Certificate, for example idp-cert.
 Add service provider
  1. Go to the Role Identity Provider tab. 
  2. Add a service provider, to tell Hybrid Access Gateway where the Google Service Provider is located:
    Click Add Service Provider…
  3. Verify that SAML 2.0 is checked. Click Next >
  4. Do General Settings, for example enter a Display Name. The Entity ID must be unique within the federation. The Service Provider URL is where the IDP will redirect the user after successful authentication, so this must be an exact match with the google domain.

    Example: General settings

    Display Name: G Suite
    Entity ID: google.com/a/nexusville.com
    Service Provider URL: https://www.google.com/a/nexusville.com/acs

    Click Next >

  5. Set email as the unique identifier for the user, since that is what Google uses. This is used when Hybrid Access Gateway sends a SAML ticket to Google.
    In Subject > Select source of subject: select E-mail.

    The Manage Access Rules window opens.
  6. Select the already created access rule (for example called Google Apps), to define what authentication methods are allowed:
    In Available Access Rules: select Google Apps, and click Add >
  7. Click Finish Wizard to finish creating the Service Provider G Suite.
  8. Click Add to add the SAML Federation Google IDP
 Publish updates
  1. Click Publish to publish the updates.
  2. The configuration in Hybrid Access Gateway is ready. 

Configure in Google admin console

Set up Google to use Hybrid Access Gateway as a third party identity provider.

 Log in to G-suite admin console
  1. Log in to Google admin console:
    Go to https://accounts.google.com and log in with an administrator account.
 Set up single sign-on (SSO)
  1. Click Security, to go to the security settings. 
  2. Click Set up single sign-on (SSO).
  3. Scroll down, and check Setup SSO with third party identity provider, where Hybrid Access Gateway is the third party identity provider. 
  4. In Sign-in page URL, enter the URL to your Hybrid Access Gateway login page.
  5. In Sign-out page URL, enter the URL to your Hybrid Access Gateway logout resource.
  6. If you use a password-based authentication method: Enter the Change password URL to your Hybrid Access Gateway page for changing or resetting passwords.

    Example Google SSO settings

    Sign-in page URL: https://ag3.nexusville.com/wa/auth/saml/

    Sign-out page URL: https://ag3.nexusville.com/wa/_prelogout.html

    Change password URL: https://ag3.nexusville.com/wa/auth


 Upload certificate
  1. Upload your signing certificate, that is, the certificate that you use to sign the SAML ticket: 
    Verification certificate, click CHOOSE FILE.
  2. Select (the public part of) the identity provider certificate, for example: google-idp-cert.crt.
  3. Click SAVE.
  4. The configuration in the Google admin console is ready.