Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get group membership or roles from a Google Apps SAML2 Identity Provider

I did setup my Google Apps for Work Unlimited account to act as SAML2 Identity Provider and register my web application as Service Provider (as explained in the links below). It works great, I can login into my app after login into google with a user. My problem now is that I need to grant that user access to resources based on its google role or group membership and cannot figure out how to send that membership information back to the service provider. It seems that I cannot use the Attribute Mapping function to map the "groups" user field. Anybody know if this is a Google Apps for Work Unlimited limitation>Should I be able to send the group membership in another way?. How?. I know role and group membership are totally different things. I just need a way to differentiate user privileges. Maybe you can think another way to differentiate them?. I need to know, for example, whether they are administrators or just users in Google Apps. How can i do that?

https://support.google.com/a/answer/6087519?hl=en

https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/

like image 271
pabloelustondo Avatar asked Jan 19 '16 17:01

pabloelustondo


People also ask

Is Google a SAML identity provider?

Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner's SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL.

Does Google use saml2?

Google implements SAML 2.0 HTTP POST binding. This binding specifies how authentication information is exchanged between the SAML IdP and SAML service provider. The following diagram illustrates an example of how this process works when you use SSO to access the Google Cloud console.


1 Answers

I've been searching for this as well for a couple of days and all the references I found (ie: documentation for products that integrate with Google Apps SAML for SSO) state that is not supported by Google at this time and how everyone's also puzzled and frustrated about that.

The closest things I've found which are not ideal but work are to use some other field in the User definition, ie: Department as a role/group specification field that is enabled on the SAML configuration in Google Apps. Another alternative which seemed perhaps closer to what the real implementation of Groups in the SAML assertion would look like and it's actually referred as a solution "recommended by Google" (whatever that may mean) is to create a custom Schema and a custom Attribute you can populate for all of your users in the Google Apps directory which you can control as a multi-value list of "external" roles/groups they belong to in the externally facing system (so wouldn't be exactly what you're asking and what I need either, in case you strictly want the names of the Google Groups the user is in).

Anyways since you had no response on this thread or the forums I thought it was worth to point out all searched that brought people here and onto the other pages that reference this problem don't have a better solution than this unfortunately.

edit: Looks like yet another alternative, perhaps easier way to configure the same as the one mentioned above is to use "Custom Category" and associated "Custom Attributes".

like image 167
Roberto Andrade Avatar answered Oct 21 '22 08:10

Roberto Andrade