Google Apps supports SAML authentication. You will need to enable this via:

  • Google Admin Control Panel, Advanced Tools, Set up single sign-on (SSO)

and check:

  • Enable Single Sign-on

In Elastic SSO do the following:

  1. Initialize the Identity Provider if you have not already. This is done under Manage SSO, Identity Provider. You must be have the SAML Admin role in order to access it.

  2. Go to Manage SSO, Service Providers, Add Service Provider which will start the wizard.
  3. Basic Settings
    1. Under Entity ID enter google.com.
    2. Choose SAML 2.0 for SAML Version.
    3. You can enter any App Name you see fit.
    4. Leave the Public Certificate blank.
    5. Click Next.
  4. Advanced Settings
    1. Select urn:oasis:names:tc:SAML:2.0:nameid-format:email as the NameID Format
    2. Select urn:oasis:names:tc:SAML:2.0:attrname-format:uri as the Attribute Name Format.
    3. Click Next.
  5. ACS Endpoints
    1. For Location use https://www.google.com/a/<googleappsdomain>/acs
    2. For Binding choose HTTP-POST.
  6. Skip SLO Endpoints. Google Apps does not support Single Logout.
  7. Skip Attribute Maps. Google Apps uses the NameID.

Once the above is done, you will need to configure Google Apps Single Sign-on. Go to Google Admin Control Panel, Advanced Tools and enter the following:

  1. Sign-in page URL: Use the value found in Manage SSO, Identity Provider, SAML2 SSO URL. You can also find this value by inspecting the metadata file downloadable from the same page.
  2. Sign-out page URL: You can use the Elastic SSO logout page. E.g.: https://<elasticssodomain>/logout
  3. Change password URL: This can be any desired URL. You can use https://<elasticssodomain>/changepassword
  4. Verification Certificate: Download the identity provider certificate from Manage SSO, Identity Provider, Download Public Key then upload it here.
  5. If you are planning to use a domain specific issuer, you will need to change the EntityID from google.com to google.com/a/<yourdomain> under the Service Provider, Basic Settings (step 2.A.i above).
  6. Once you have saved changes, you can try logging in using the following links (see Google Apps SAML documentation for more information):
    1. Gmail: https://mail.google.com/a/<googleappsdomain>/?tab=om#inbox
    2. Calendar: https://www.google.com/calendar/hosted/<googleappsdomain>/render?tab=oc&AuthEventSource=SSO
    3. Docs: https://docs.google.com/a/<googleappsdomain>/?tab=mo&AuthEventSource=SSO#all