Required SP Configuration
Step 1: Obtain the following properties from the service provider to create a new SAML adapter:- ACS URL (Also known as Assertion Consumer Service URL)
- Entity ID (Referred to as ‘Partner’s Entity ID’ in Admin Console. Some service providers also use the term “Issuer”
Generated IDP Configuration
Step 2: Create a SAML Adapter in the admin console. After creation, download the “SAML IDP configuration”. This configuration is necessary for the service provider as it needs to know where to send SAML requests and how to verify signed responses from IDP. The generated configuration will contain the following properties:- Entity ID: The Entity ID / Issuer of the server aka IDP
- SSO Login URL: The URL the service provider must send SAML requests to
- X.509 Signing Certificate: IDP signing certificate in PEM format
Configuring SAML Adapter for Google as a Service Provider
Step 1: Log in to the Admin Console, navigate to the “Integrations” tab, then the “Adapters” tab, and click on the (+) icon in the top right corner to add a new adapter. Select Single Sign on in the first box and SAML in the adapter type box
Step 2: Notice the “Select User Directory Attribute” value. In case of Google, it must always refer to a directory attribute containing the email address. Other service providers might expect a different value like user principal name.
Google allows to register a 3rd party SAML IDP in two ways. Either as a global IDP all users of the organization are going to be authenticated with by default or an organizational unit specific IDP. In that case, only the users of the specific OU are going to be authenticated using the SAML IDP. Based on the selected method, Entity ID and ACS URL will differ.
SAML IDP for the Entire Organization
Step 1: Create a default SSO profile that spans the entire organization in Google SAML IDP configuration page. The values for Entity ID and ACS URL needed in the SAML adapter configuration dialog will always follow this pattern:- Entity ID: google.com/a/<you_organization_domain> (only if you check “Use a domain specific issuer” while adding a default SSO profile in Google). Otherwise, it is google.com
- ACS URL: https://www.google.com/a/<you_organization_domain/acs
SAML IDP for a Specific Organizational Unit
Step 1: Create a SAML adapter draft with a value like TBD in Entity ID and ACS URL
Step 2: Go to the Google IDP configuration page and create a third party SSO profile
Step 3: Use the IDP’s Entity ID, SSO login url and the certificate generated by the SAML adapter to create the new SSO profile. Save the generated certificate into a file like saml-idp-cert.pem to upload it to the SSO profile
Step 4: After saving the profile, Google will generate Entity ID and ACS URL. Use these to update the existing Truu SAML adapter (replace the TBDs)
Configuring a SAML Adapter for Okta as a Service Provider
Step 1: Create a new SAML adapter in Admin Console (using TBD values for Entity ID and ACS URL) and save the generated adapter configuration Step 2: Sign in with an administrator account to Okta. Navigate to Security → Identity Providers and add a new SAML 2.0 IdP
Step 3: Use the generated values from the adapter to configure the IDP page. Save the generated IDP certificate into a file like saml-idp-cert.pem as Okta allows to only upload the certificate as a file
Step 4: Save the IDP configuration and open details of the configured IDP. There are two fields that map to the properties required by SAML adapter:
- Audience URI – Partner’s Entity ID in the SAML adapter
- Assertion Consumer Service URL
Step 5: Return to the Truu SAML adapter configuration and replace the TBD values with the correct values
Configuring a SAML Adapter for Other Service Providers
The configuration process for each service provider may vary, but it generally follows the same steps as described above for Google and Okta. Obtain Entity ID and ACS URL from SP, input these into a new SAML adapter configuration, and use the generated configuration from SAML adapter to setup the service provider. Note: If multiple service providers (Google, Okta, etc.) are being used, create a standalone SAML adapter for each service providerPingFederate SAML Setup Guide TruU IdP for NetSkope