Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is an example using G Suite (formally Google Apps) of how to set up a custom SAML resource so that you can log in using the hosted version of OpenAthens.

Prerequisites

  • A G Suite domain
  • Access to the G Suite admin dashboard
  • Access to the OpenAthens administration area at the domain level

Method

Table of Contents
minLevel3
 

Set up the custom SAML resource in OpenAthens

  1. Access the administration area as the domain administrator and navigate to the catalogue (Resources > Catalogue).

  2. Switch to the custom tab and click on the Add button



  3. Select the SAML option

  4. Enter the google apps metadata address

    Code Block
    https://help.openathens.net/metadata/google.com/a/<GOOGLEAPPSDOMAIN>
  5. Click the create button

This will create the basic custom resource. We can come back and add details later if we need to.

Add G Suite to your release policy

  1. Still in the administration area navigate to the release policy page (Preferences > Attribute release)



  2. Add a resource policy via the button

    1. Start typing the name you gave the SAML resource. This will be 'Google' unless you have changed it.
    2. Select it from the list of any options to add a policy

  3. Click the advanced button to access the NameID settings:



  4. Set the SAML NameID format and attributes from the drop down boxes as:

    1. NameID format - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    2. NameID attribute: Email address

  5. Click done and then save changes

This will now release the email attribute that Google are expecting as the username. This will only release it to Google. The email address on the OpenAthens account will need to match up with the email addresses stored at the Google end.

Access G Suite SSO settings

Access the SSO settings on the Google Apps dashboard. At the time of writing this was under the security section.

...

Save the details and you are ready to test.

Test

Once both ends are set up, you can try access at https://mail.google.com/a/<GSUITEDOMAIN> (www.google.etc will always use the google account rather than redirecting so you need to use one of the apps' subdomains). Unless you already have an active google session you should be directed to your organisation's OpenAthens sign in location - see about the authentication point.

...

Toggle use on and off via Google's settings until you are ready to go live.

Customise

Once the basic resource exists, that is all the system needs to work unless you are using restrictive mode (see below).

...

All types custom resources can be made available to sub-organisations by opening the detail view and changing the setting on the visibility tab:

Restrictive mode

If you are running in restrictive mode, the SAML resource MUST be included in at least one of the permission sets used by anyone who should gain access. If not then OpenAthens will block access at the authentication point.

...