This guide demonstrates the step-by-step process for creating a new application in Google Workspace, capable of communicating via SAML 2.0 with Axur Platform services. In this guide, we will cover all the necessary configurations to ensure that Single Sign-On (SSO) works correctly and as expected.
Table of Contents
Before You Start
Ensure you have an Administrator account in Google Workspace and can access it without issues.
When performing the configurations, make sure that the data you will copy or type in the indicated locations is correct. Incorrect data entry can cause problems later when we test our application.
The process of creating the SSO application in Google Workspace follows a very simple step-by-step procedure. It is not necessary to click through different sections to complete the configuration. The process is sequential, but we have divided the tutorial into sections to facilitate understanding.
Groups, users, and assignments
In all Axur Platform SSO application creation tutorials, there is the concept of users and groups. After all, the provider is where all your user information will be stored, in addition to the groups to which they belong (creating groups via the provider is optional). In this sense, this section is dedicated to teaching how to create groups and users in Google Workspace, as well as assigning users to groups.
Creating a group (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
Observation: It is of extreme importance that group names comply with the determined pattern. More specifically, a new group must contain the values from the table as a suffix:
Group |
|
|
|
|
|
In this sense, group values like Axur-one-manager and ClientX-one-expert are valid, but Axur-manager and ClientX-analyst are not, because they do not include the expected suffixes.
Follow the step-by-step instructions in the images to create a group. You do not need to create all the groups mentioned above, only those you wish. Before the images, observe the following table for information about the groups:
Group Name | Group Description |
one-viewer | Users in this group will have access to the Axur Platform, with the ability to view all ticket, result, and invoice information, but cannot perform any actions. |
one-practitioner | Users in this group will have access to the Axur Platform and, in addition to viewing all information, can perform non-billable actions (all except Takedown requests). |
one-expert | Users in this group will have access to the Axur Platform and, in addition to performing non-billable actions, can also request Takedowns. |
one-manager | Users in this group will have access to the Axur Platform and can perform all actions (non-billable and billable) and also view activities performed by their users in the Axur Platform. |
one-basic | Users in this group have a personalized set of capabilities. When they are created, the manager can decide what their capabilities will be. |
Click Done to finish!
Creating a user
To create a user, follow the step-by-step instructions in the images:
Assigning a group to a user (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
To assign a user to a group you created, follow the step-by-step instructions in the images:
Creating a new application
Use this link to access Google Workspace and log in with your Administrator account. Then, follow the step-by-step instructions in the images below to create the new SAML application providing data for the Axur Platform:
Obtaining Google Workspace provider data
Since we are using Google Workspace as our identity provider, it is necessary to obtain some information that can tell the Axur Platform who it will be communicating with and whether its information is secure and reliable.
Following the process of creating our SAML application, we have the following image:
For our tutorial, use the first option. Download the file and ensure you can access it without problems. We will use it at the end of the tutorial to configure SSO on the Axur Platform.
Sending Axur Platform data to Google Workspace
Google needs to know who it will be communicating with for the SSO process to work smoothly. Follow the images to insert the following Axur Platform data into the Google Workspace settings:
These are the data you will need (These values are fixed and must be entered exactly as shown):
Field | Value |
ACS URL |
|
Entity ID |
|
Mapping user attributes
By using Google Workspace as our provider, we are leveraging the credentials that are already stored and managed by Google, and these credentials are stored in the format defined by the provider. However, to communicate with the Axur Platform using SAML, it’s necessary that user data is sent in a standardized way. Think of it this way: We need to ensure that the Axur Platform always receives the user’s email attribute in the same format regardless of whether this data comes from Google or any other provider. Different providers store their data in different ways, and mappings solve this problem!
Use the step-by-step instructions in the images to add user attribute mappings in your Google Workspace application.
The values you will need to fill in are here:
Field | Value |
Primary Email |
|
First name |
|
Last name |
|
Mapping user groups (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
Just like user attributes, we also have groups, which bring users together according to some specific criteria. These groups are created by the administrator in Google Workspace and, as explained in the previous section, a mapping is needed so that this data is transmitted to the Axur Platform in a standardized way, regardless of the provider.
In this section, the focus is on taking each of the groups you created in the Groups, users, and assignments section and telling Google Workspace how these group names should be mapped when sending to the Axur Platform.
Follow the images to create group mappings in the Google Workspace settings (use the value that follows to fill the right side):
http://schemas.xmlsoap.org/claims/Group
You can add as many groups as you want here. In the example we added just one-viewer, but you could insert as many as you would like. In the end, all those groups would be under the same group claim we defined!
At the end of the group and user attribute mapping process, check if your application looks like the one in the photo below:
Assigning groups/users to the application
Now all that remains is to assign users or groups to the new application you created. Follow the step-by-step instructions in the images to do this:
If you decided to create groups via the provider, select the created groups and check if they are active in the application. Once this is done, all users participating in these groups will have access to the application. If you decided not to create groups via the provider, you can enable the application for an Organizational Unit (OU). This allows all users within that OU to have access to the application, without needing to create groups.
For OU:
For group:
Some common errors
Google Workspace has a support page that contains some of the most common errors during the creation of a SAML application. You can access this page by clicking here. In general, in case of errors, always try to check:
The Service Provider (SP) information (Axur Platform in this case). Verify the data from the corresponding section and ensure they are the same.
The Identity Provider (IdP) information (Google Workspace in this case). Verify that the file you downloaded here is not altered.
The application access information. Verify the assignments of groups or direct users.
Specific errors
Error | Description | How to Resolve |
Non Authorized IdP or expired IdP login | Unauthorized IdP or expired session | Check the Federation Metadata and the IdP. |
Missing value for string parameter [email claim] | Missing or empty email claim | Make sure the email attribute is correctly configured in the IdP. |
Redirection error | Incorrect endpoint URL in the IdP | Check whether the endpoints are correctly configured. |
Local entity is not the intended audience of the assertion in at least one AudienceRestriction | The assertion was not intended for the SP | Check if the entityId configured in the app is set to com:axur:sso. |
Authentication statement is too old to be used with value {date} | The authentication statement has expired | The IdP session duration exceeds 7 days. Contact support to adjust it. |
Validation of protocol message signature failed | The signature of the SAML message is invalid | Verify that the Federation Metadata was correctly provided. |
This concludes the necessary configurations in the Google Workspace provider. Return to the configuration guide on the platform to finalize the creation of your application.
If you have any questions, feel free to reach out at [email protected] 😊