Configure Google as an IdP in the Cloud Identity Engine
If you use Google to authenticate users, you can configure
your Google IdP as an authentication type in the Cloud Identity Engine.
The Cloud Identity Engine does not support the ForceAuthn
attribute for Google as an IdP.
Prepare to configure Google as an IdP
in the Cloud Identity Engine.
If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select AuthenticationSP MetadataDownload SP Metadata and Save the
metadata in a secure location.
Log in to the Google Admin Console and select AppsSAML Apps.
Select Add AppAdd custom SAML app.
Enter an App name then Continue to
the next step.
Click Download Metadata to Download
IdP metadata then Continue to
the next step.
Copy the metadata information from the Cloud Identity Engine
and enter it in the Google Admin Console as described in the following table
then Continue to the next step:
Copy from Cloud Identity Engine
Enter in Google Admin Console
Copy the Entity ID from
the SP Metadata page.
Enter it as the Entity ID.
Copy the Assertion Consumer Service
URL.
Enter the URL as the ACS URL.
Add mapping to select the Google
Directory attributes then specify the corresponding App
attributes. Repeat for each attribute you want to use
then click Finish when the changes are complete.
View details to specify the
users and groups you want to authenticate with Google and enable
the app to turn it ON for everyone then Save your
changes.
Select DirectoryUsers to specify the users
you want to authenticate using Google.
Add Google as an authentication type in the Cloud Identity Engine
app.
Select Authentication Types and
click Add New Authentication Type.
Set Up a SAML 2.0 authentication
type.
Enter a Profile Name.
Select Google as your Identity
Provider Vendor.
Select the method you want to use to Add Metadata and Submit the
profile.
If you want to enter the information manually, copy the identity provider ID and SSO URL,
download the certificate, then enter the information in the Cloud
Identity Engine.
In the Google Admin Console, select the Cloud Identity Engine
app and Download Metadata.
Click Download Metadata then copy the
necessary information from Google and enter it in the Cloud
Identity Engine app as indicated in the following table:
Copy or Download from Google
Admin Console
Enter in Cloud Identity Engine
IdP Profile
Copy the Entity
ID.
Enter it as the
Identity Provider
ID.
Download
the Certificate.
Click to
Upload the certificate from
Google.
Copy the SSO
URL.
Enter the URL as the
Identity Provider SSO
URL.
If you want to upload a metadata file, download the metadata
file from your IdP management system.
In the Google Admin
Console, select the Cloud Identity Engine app and Download
Metadata.
Click Download Metadata and Save the
file to a secure location.
In the Cloud Identity Engine app, select Upload Metadata then click
Browse files to select the metadata
file then Open the metadata file.
To use the Get URL method, copy the URL from your
IdP and enter it in Cloud Identity Engine.
Log in to the Google portal using your administrator
credentials.
Copy the SSO URL and store it in a secure
location.
In the Cloud Identity Engine, select Get
URL and paste the URL as the Identity
Provider Metadata URL.
Click Get URL to confirm the URL and
populate the Identity Provider ID and
Identity Provider SSO URL.
If you don't want to
enter the configuration information now, you can Do it
later. This option allows you to submit the profile
without including configuration information. However, you must edit the
profile to include the configuration information to use the
authentication type in an authentication profile.
Select the HTTP Binding for SSO Request to IdP method
you want to use for the SAML binding that allows the firewall and IdP to
exchange request and response messages:
HTTP Redirect—Transmit SAML messages through URL
parameters.
HTTP Post—Transmit SAML messages using
base64-encoded HTML.
Specify the Maximum Clock Skew (seconds), which is the
allowed difference in seconds between the system times of the IdP and the
firewall at the moment when the firewall validates IdP messages (default is 60;
range is 1–900). If the difference exceeds this value, authentication
fails.
To require users to log in using their credentials to reconnect to
GlobalProtect, enable Force Authentication.
Test SAML setup to verify the
profile configuration.
This step is necessary to confirm that your firewall and IdP can
communicate.
Select the SAML attributes you want the firewall to use
for authentication and Submit the IdP profile.
Select the Username Attribute and optionally,
the Usergroup Attribute, Access Domain, User
Domain, and Admin Role.