Nile Integration with Google Workspace for SSO Setup

this document covers the setup of saml federation between nile (okta) as a service provider (sp) and google workspace as an identity provider (idp) requirements administrator rights to the nile portal administrator rights to google workspace the same nile portal administrator needs to be a google workspace user create a google group and map users to the group for nile app (optional) note this is required if admin user(s) use sso to authenticate to nile portal sign in to the google workspace portal (https //admin google com/ in this example) hc consulting is the sample organization used in this document for demonstration purposes only go to directory > groups click create group to create a nileadmin group and enter a group e mail address assign a group owner click next select access type and click create group click directory > users click on a user in the list to open it for editing select groups and click add user to groups select the nileadmin group click add sign in to google workspace portal (https //admin google com/ in this example) google workspace saml app configuration sign in to the google workspace portal (https //admin google com/ in this example) in the admin console, go to menu > apps > web and mobile apps click add app > add custom saml app a new window will appear enter a name for the app, for example, nile sso or nile global then click continue two options are available to obtain google identity provider details option 1 you may download the metadata file and search for the entity id and location url from the metadata file copy and paste into a clipboard or text editor for later use on the provider page of the nile portal the location url is also referred to as the sso url option 2 copy the sso url and entity id to a clipboard or text editor for use later on the provider page of the nile portal download the certificate then click continue the certificate may present a pem file extension change the file extension from pem to cert do not close this browser window we will complete this process after configuring the nile portal nile portal identity provider configuration now, open a new browser window and log in to nile portal with the same google workspace administrator at https //www nile global cloud, and navigate to settings > global settings > identity page click on add a new provider and fill out the form as follows idp issuer uri \<entity id (http)> idp sso url \<sso url (http)> destination url \<sso url (http)> click select certificate and upload the google workspace certificate downloaded earlier, and click on submit when done note if the certificate file cannot be selected, either change the file type to “all files” and/or go to the file’s ‘get info’ and unlock it before closing the provider settings, click on the metadata link to download the xml file, where the nile okta entityid and location could be extracted (to be entered to continue the google workspace saml app setup) click on group rules , then on add group mapping to create a ‘ memberof ’ group mapping rule, and then click save when done click on add group rule to create one rule for the nile administrator once the rule is saved, it can be activated by clicking the inactive button second pass at the google workspace custom saml app configuration parse the nile portal provider metadata xml file to extract the entityid and location urls here is an example for illustration only entityid https //www okta com/saml2/service provider/sppdejeumsqtplsczcjs location https //login u1 nile global cloud/sso/saml2/0oa5prpwodxxgb6mi5d7 go back to the google workspace custom saml app configuration window copy and paste the location in the acs url field and the entity id in the entity id field change name id format to email click continue attribute mapping the following google directory attributes are required to be mapped and sent to nile primary email email first name firstname last name lastname click finish you may view the mapped google directory attribute as shown below group mapping (optional) if an admin user uses sso to authenticate to nile portal, map the nileadmin group from google groups to the administrator app attribute click finish if group mapping is not required, just click finish you can now log in to the nile portal using your sso credentials to validate your privileges please note that once sso is activated, all local (non sso) accounts will be disabled, except for the root administrator additionally, you can set up sso on a psk ssid for step by step instructions, please refer to the setup guide for the same https //docs nilesecure com/setup a psk sso ssid