Configuring Google Workspace SAML Login

Google Workspace provides a Security Assertion Markup Language (SAML) service so you can use the same username and password across different web applications. To begin using Google Workspace to log into Ubersmith, you need to have an account with Google already established.

The configuration steps are as follows:

1. Configure a Google Workspace SAML application.

2. Generate a service provider key and certificate.

3. Configure Ubersmith.

Configuring the Google Workspace SAML Application

From the Google Workspace Admin console, add a custom SAML application using the configurations below. See Google's guide for more information. 

Complete App Details

1. For App Name, enter Ubersmith.
2. For App Icon, attach an optional logo of your choosing.
3. Click Continue.

Copy Google Identity Provider Details

1. Copy the SSO URL, Entity ID, and Certificate provided by Google. This information will be needed later.
2. Click Continue.

Complete App Details

1. For Assertion Consumer Service (ACS) URL, enter https://[YOUR UBERSMITH DOMAIN].
2. For Entity ID, enter https://[YOUR UBERSMITH DOMAIN].
3. For Start URL, leave this optional field empty.
4. Select the Signed Response option.
5. For NAME ID format, choose EMAIL.
6. For NAME ID choose Basic Information > Primary Email.
7. Click Continue.

Complete Attribute Mapping

1. For Employee Details > Department, enter the word DEPARTMENT.
2. For Basic Information > Primary email, enter the word EMAIL.
3. For Basic Information > First name, enter the word FIRST.
4. For Basic Information > Last name, enter the word LAST.
5. Click Finish.

Generating a Service Provider Key and Certificate 

• In the directory /usr/local/ubersmith/conf/sso, enter the following commands to create your service provider key and certificate.

       $ openssl dsaparam -out saml_sp_dsa_param.pem 4096
       $ openssl gendsa -out saml_sp.pem saml_sp_dsa_param.pem
       $ openssl req -new -x509 -key saml_sp.pem -out saml_sp.crt

Configuring Ubersmith

1. Access the User Authentication page.
2. From the Authentication Modules section, click Add New Authentication Module.

Complete the Details Tab

1. In the Enabled field, select Yes to enable a specific authentication module.
2. In the Module field, select SAML.
3. In the Priority field, enter the order of priority in which server to use to authenticate users.
4. Select the Create User on Login field to create a new user upon their first login attempt.

Complete the Config Tab

1. Click the Config tab.
2. In the ID Provider (IdP) field, enter the SSO URL provided by Google.
3. In the IdP Name field, enter Google Workspace.
4. In the IdP Icon field, enter https://workspace.google.com/static/favicon.ico.

5. In the IdP Signon URL field, enter the SSO URL provided by Google.

6. In the IdP Logout URL field, enter https://[YOUR UBERSMITH DOMAIN]/logout.php.
7. In the IdP x509 Certificate field, paste your Google Workspace certificate.
8. In the Ubersmith "Login Name” Attribute Name field, enter the word EMAIL.
9. In the First Name Attribute Name field, enter the word FIRST.
10. In the Last Name Attribute Name field, enter the word LAST.
11. In the Email Address Attribute Name field, enter the word EMAIL.
12. In the Permission Group Attribute Name field, enter the word DEPARTMENT.
13. In the Service Provider (SP) Entity ID field, enter https://[YOUR UBERSMITH DOMAIN].
14. In the SP x509 Certificate field, copy and paste the certificate you previously generated in the Generate a Service Provider Key and Certificate above.
15. In the SP x509 Private Key field, copy and paste the private key you previously generated in the Generate a Service Provider Key and Certificate above.