Configuring SSO with GSuite

Netography Configuration

Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator.

  1. Navigate to Settings > Global Security/SSO and enable SAML Single Sign-on:
  2. Copy the Assertion consumer service (ACS) URL in the SAML Single Sign-On Settings page that appears..  It will be needed as input into Auth0 later.

GSuite Walkthrough

Screenshot dates: 6/2021

  1. Starting from https://admin.google.com select Apps > SAML apps > and select Add custom SAML app from the Add App dropdown
  1. Provide the application name and logo.

    1. App name: Netography
    2. App logo (optional): https://netography.com/wp-content/uploads/2020/02/neto-logo-dark-400px.png
  1. Click Continue. On the next page, download the Metadata file.
  1. Next, upload the metadata file to Netograph in the Metadata section in the Essentials screen in the SAML Single Sign-On Settings page
  1. Once the metadata file has been uploaded, go back to GSuite, click "Continue", then perform the following:

    1. Copy the ACS URL and Entity ID from Netography back to GSuite.
    2. Check the "Signed response" checkbox
    3. Set the Name ID format to EMAIL
    4. Set Name ID to Basic Information > Primary email
  1. Click Continue.  Next we will add attribute mappings which will create the user fields provided to Netography.
  1. Add a Role to the SAML attributes: Google not have role as one of their available user attributes.   However, role can be managed in google by using User Groups. The Group information can be passed in the SAML response to be used as role information.

  2. Configure the role mapper in netography to match the group attribute name

Netography Post-Configuration

  1. Return to the Netography portal, and upload the Identity provider metadata file you downloaded above.
  1. Click Next
  2. Now configure the User attribute mappers to match the mapper values configured in Auth0 above:
  1. Click Next. 

  2. Next configure the Default user role and role mappers:

    1. Default user role: This is the role an IDM-authenticated user will default to if the role mappings are not found in the SAML exchange.   For security purposes, we recommend setting this value to "readonly", but you may want to set this to "admin" as you are testing your configuration.
    2. Admin role mappers:  Configure these according to the screenshot below:
  1. Click the Save button.

Done! Now your users can log in directly via your identity provider using a new account-specific login URL.  The new SSO Login URL can now be found under the Essentials settings in the SAML Single Sign-On Settings page.

🚧

The default login will still work for your account administrator, which is not bound to your IDM.