.. title:: Google GSuite SAML Setup Google GSuite SAML Setup ========================= Create a new SAML configuration in Kasm --------------------------------------- 1. Log into the Kasm UI as an administrator. 2. Select **Authentication** -> **SAML** -> **Create New Configuration** 3. The **SAML 2.0 Configuration** page will auto-generate the **Entity ID**, **Single Sign On Service**, **Single Logout Server**, and **Relay State** values. 4. Check **Enable** and enter a **Display Name**. e.g (Gsuite) 5. Update the following Settings +-----------------------------+--------------------------------------------+ | **Setting** | **Value** | +-----------------------------+--------------------------------------------+ | NameID Attribute | emailAddress | +-----------------------------+--------------------------------------------+ | Want Attribute Statement | Unchecked | +-----------------------------+--------------------------------------------+ | Want Message Signed | Checked | +-----------------------------+--------------------------------------------+ | Want Name ID | Checked | +-----------------------------+--------------------------------------------+ | Signature Algorithm | rsa-sha256 | +-----------------------------+--------------------------------------------+ | Digest Algorithm | sha256 | +-----------------------------+--------------------------------------------+ 6. Leave this page open and continue to the next steps. Add a new application in GSuite ------------------------------- 1. Open the **Google Admin** Admin Console and Select **Apps**. .. figure:: /images/saml/gsuite/portal.png :width: 70% :align: center **Google Portal** 2. Select **SAML apps**. .. figure:: /images/saml/gsuite/saml_apps.png :width: 90% :align: center **SAML Apps** 3. Click the *Plus* button to add a new SAML App .. figure:: /images/saml/gsuite/plus.png :width: 30% :align: center **Add Applications** 4. Click **Setup My Own Custom App** .. figure:: /images/saml/gsuite/setup_app.png :width: 70% :align: center **Setup Custom App** 5. Copy the Google IdP entries to the **Identity Provider** section of the Kasm SAML Configurations started in the previous section. +------------------------+--------------------------------------------+ | **Kasm Property Name** | **GSuite Property Name** | +------------------------+--------------------------------------------+ | Entity ID | Entity ID | +------------------------+--------------------------------------------+ | Single Sign On Service | SSO URL | +------------------------+--------------------------------------------+ .. figure:: /images/saml/gsuite/g_idp.png :width: 70% :align: center **Google IdP Information** 6. Click **Download** to download the **Certificate** from the Google IdP Information form. Open the certificate file in a text editor. Copy the contents and paste into the **x509 Certificate** in the **Identity Provider** provider section of the Kasm SAML Configuration .. figure:: /images/saml/gsuite/certificate.png :width: 70% :align: center **Identity Provider Configuration** 7. Click **Next** in the **Google IdP Information** window to be taken to the **Basic Information for your Custom App** section. Enter an **Application Name** (e.g Kasm) and click **Next** .. figure:: /images/saml/gsuite/basic_info.png :width: 70% :align: center **Basic Information** 8. Copy the Kasm SAML configurations from the **Service Provider** section into the **Service Provider Details** section. +-----------------------------------------------+--------------------------------------------+ | **Kasm Property Name** | **GSuite Property Name** | +-----------------------------------------------+--------------------------------------------+ | Entity ID | Entity ID | +-----------------------------------------------+--------------------------------------------+ | Single Sign On Service | ACS URL | +-----------------------------------------------+--------------------------------------------+ | https:///#/staticlogin | Start URL | | e.g :code:`https://kasm.server/#/staticlogin` | | +-----------------------------------------------+--------------------------------------------+ 9. Ensure the following settings are configured in the GSuite **Service Provider Details** . Select **Next** +------------------------+--------------------------------------------+ | **Setting** | **Value** | +------------------------+--------------------------------------------+ | Signed Response | Checked | +------------------------+--------------------------------------------+ | Name ID | Basic Information / Primary Email | +------------------------+--------------------------------------------+ | Name ID Format | EMAIL | +------------------------+--------------------------------------------+ .. figure:: /images/saml/gsuite/service_provider_details.png :width: 70% :align: center **Service Provider Details** 9. No additional configurations are needed on the **Attribute Mapping** page . Select **Finish** 10. Review the final Kasm SAML Configuration form. Click **Sumbit** to save. .. figure:: /images/saml/gsuite/final_kasm_config.png :width: 70% :align: center Enabling Access for Users ------------------------- Once the Kasm SAML app is configured in GSuite, access must be grated to Google users. 1. From the **Google Admin** Admin Console Select **Apps** -> **SAML Apps** -> **Kasm** 2. Select **Edit Service** .. figure:: /images/saml/gsuite/edit_service.png :width: 70% :align: center **Edit Service** 3. Select **All users in this account** or the desired Organizational Units Groups, Select **ON for everyone** and click **Save** .. figure:: /images/saml/gsuite/access.png :width: 70% :align: center **Giving App Access** Mapping Users ------------- At this time GSuite does not allow group membership to be passed in SAML assertions. However Kasm Workspaces has an option that allows automatically mapping every user that authenticates against a SAML IDP to a Kasm group. 1. Log into the Kasm UI as an administrator. 2. Select **Groups** then click **Create New Group**. 3. Enter a **Name** and **Priority**. 4. Save the new group by clicking **Submit**. .. figure:: /images/groups/create_group.png :width: 70% :align: center 5. On the groups screen, using the three dot menu select **View** on the group that was just created. 6. Scroll to the bottom of the screen and select **Add SSO Mapping**. 7. Select the SAML IDP that was created above e.g. "SAML - Gsuite" for the **SSO Provider**. 8. Check the **Assign All Users** check box. 9. Click **Add**. .. figure:: /images/saml/gsuite/saml_group.png :width: 70% :align: center 7. Login via SAML, notice the users is automatically placed in the Kasm group. Testing Access -------------- 1. Log out of the Kasm UI if already logged in. 2. Navigate to the Kasm UI login page. .. figure:: /images/saml/gsuite/kasm_login.png :width: 70% :align: center **Kasm Login** 3. Click **Gsuite** to initiate the SAML SSO process. .. figure:: /images/saml/gsuite/google_login.png :width: 70% :align: center **Google Login** 4. After logging in, you should be redirected to the Kasm UI Dashboard 5. From another browser, login to Google. Click the Google Apps icon in the top right corner. Scroll down and click **Kasm**. You should be logged into the Kasm UI Dashboard. .. figure:: /images/saml/gsuite/google_app.png :width: 50% :align: center