Background

Some CentreStack tenants may already be using Google IDP and wish to use their Google IDP credentials for single sign-on to CentreStack. This article describes how a CentreStack tenant can be federated with an Google IDP tenant such that Google IDP is the Security Assertion Markup Language (SAML) Identity Provider (IdP0 and CentreStack will be the SAML Relying Party (RP). These instructions require a Google Admin account to set it up.

Configuration

1. Sign into the CentreStack server's management portal as a cluster or tenant administrator.
2. Click on the CentreStack tenant to be associated with Google IDP, then from Settings (the left-hand side tenant navigation), select "Single Sign on (SAML Integration)". 
   
3. Enable the check box in the Enable SAML Authentication section, then COPY the Access service provider meta data using the following link to your clipboard.
   
   
4. Paste the URL into a new browser tab and press Enter. This XML data will be displayed:
   
   
   
5. Locate the " md:EntityDescriptor entityID" URL in the XML data and copy the URL and paste it into a text editor similar to this:
   

   Identifier=https://tt3hcaocs02-09.folder.app/portal/saml2.aspx/r6NP21ZW

6. Locate the " md:AssertionConsumerService Location" URL XML data and copy the URL and paste it into a text editor similar to this:
   

   Reply URL=https:https://tt3hcaocs02-09.folder.app/portal/saml2.aspx?sso=r6NP21ZW

7. Save the text in the text editor to a file. It will be used later when configuring the Google App
8. Still in the SSO settings page, select the SSO provider field and change it to 'Other'
9. Continuing the CentreStack Single Sign On settings, determine whether you want to add the SSO link to login page. When the setting is on, user will get the default Centrestack login page, with a link for SSO. When the setting is off, user will get the SSO login UI directly.
   
10. You may want to have some descriptive text for the Display text for SSO link, if SSO link is added to login page.:
11. You may want to enable the Create User when User Doesn't Exist setting:
    
12. Leave the CentreStack portal page open as there will be Google IDP settings that will need to be configured on this page.
13. Start a new browser tab or window and navigate to https://admin.google.com. Sign in with your Google Admin credentials
14. From the admin home page expand 'Apps' from the left navigation menu and click on 'Web and mobile apps'
    
15. On the 'Web and mobile apps' page click on 'Add app' -> 'Add custom SAML app'
    
16. On the next page enter a name and a description for the app, they can be anything you want, then click 'continue' at the bottom
    
17. On the next page has option to download metadata at the top, click on it to download the metadata, save this file as we will need it later. Make sure there is a valid certificate here or else it will not work. If the certificate is invalid, please go back to the home page and create a valid certificate there. Once the metadata is saved click 'continue' at the bottom. 
18. In the next page it prompts you to enter the Access URL and the Entity ID, this will be the Reply URL and Identifier respectively we copied previously, paste them into the text lines like below.
19. Scroll down and in the Name ID Format line change it to 'EMAIL' and click 'continue' at the bottom
20. In the next page, click 'Add Mapping' 3 times and set it so that it matches the image below, then scroll down and click 'Finish' to finish creating the application. 
21. Can see the new Application created, shows like this 
22. Under User Access, can see that it is 'Off for everyone' need to enable it for everyone or for specific groups you want grant access to, click on the user access box to go to the next page.
23. In this next page change it to 'On' for everyone or if you prefer you can set it to work for specific groups from the side bar, save the changes and after the setup all users added here will be able to login to Centrestack via Single Sign On. 
24. Now open the Google SSO Metadata file that we downloaded while creating the app. Here find the SingleSignOnService Locations and copy one of them (they should be identical).
25. Then go back to Centrestck SSO settings page and paste it into the field called 'IdP End Point URL'
26. Then scroll down and find the Email parameter, Given Name parameter and Sur name parameter, fill it out like so, matching the ones we set in the Google app.
27. Next go back to the MetaData file we downloaded from Google and copy all of it.
28. Then on Centrestack SSO settings page, scroll down to IdP MetatData section and paste it all into here, then scroll all the way to the bottom and click the blue diskette icon to save all the settings, the setup is now complete!

Test on Web Portal

Google IdP setup is complete, if you visit the login page now, you will be able to see the Google SSO login link if you opted to have the link in the login page, otherwise it will take you directly to the Google SSO login page.

Click the Google Single Sign on link and it takes you to the google sign in page, enter username and password for one of the users that has access to the web app we created.

The user was able to sign in with Google SSO and can now access the web portal!