Menu
As outlined in the Google docs you can use Google Apps as a SAML 2.0 IdP. The IdP metadata includes a URL for SSO, but doesn't contain a SLO URL:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=XXXXXXXX" validUntil="xxxxxxx">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Trying to just use the same URL for SLO results in an error at Google:
Error parsing the request, malformed_request: The SAML request is malformed. That’s all we know.
Of course you can just redirect to https://accounts.google.com/logout but that will only end the Google session.
SLO is not mentioned in Google docs. Is it supported?
287
You can configure your Cloud Identity or Google Workspace account to use single sign-on (SSO). When you enable SSO, users aren't prompted to enter a password when they try to access Google services. Instead, they are redirected to an external identity provider (IdP) to authenticate.
When SSO is set up, users can sign in to their third-party IdP, then access Google apps directly without a second sign-in, with these exceptions: Even if they've already signed in to their IdP, as an extra security measure, Google will sometimes ask them to verify their identity.
Essentially, it removes the need for your users to log into multiple applications in a particular browser session. Once they log into one system, it exchanges authentication data with another service you have SSO set up with and automatically logs the user in.
Google does not support SAML SLO as an identity or service provider.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
