Connecting ezeep to your Google organization via SAML


Contents
Introduction................................................................................................................................ 1
Requirements ............................................................................................................................. 1
1. Create the SSO SAML App on Google Admin Console ....................................................... 2
2. Create a Single Sign On configuration set in ezeep ........................................................... 6
3. Enter the correct Service Provider Details on the Google Admin Console........................ 9
4. Activate the SAML application for everyone in Google Admin Console.......................... 12
5. Login as a user .................................................................................................................. 13



Introduction


SAML is today's standard when it comes to connecting the user management of a cloud service with a
directory service. This document outlines how to setup SAML based login with Google accounts.
After the setup you have enabled your users to authenticate in ezeep with their Google accounts and
are able to print based on the rules that you set on ezeep.
During the setup we will have to switch between the Google Administration Console and the ezeep
administration portal. We highly recommend to open both portals simultaneously in separate
browser windows.


Google Admin Console
https://admin.google.com/ 


ezeep administrator portal
https://portal.ezeep.com/ 


Requirements
• ezeep administrator account
• Google G-Suite administrator account

1. Create the SSO SAML App on Google Admin Console

In the first step we need to create a SAML App in the Google Admin Console to connect to ezeep.

Navigate to the SAML apps on the Google Admin Console. You find it on the Google Admin dashboard under Apps -> SAML apps or click on this link:


https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS 


Click on the + icon and pick Setup my own custom app


screenshot: setup custom app


Google will generate a custom SSO URL, an Entity ID and a certificate which we will need to enter in ezeep. Copy both URLs and download the certificate file to a secure location.


screenshot: get your custom SSO url


Click on next to proceed.


On the next page you can enter some basic information for the ezeep app:


screenshot: enter basic app info


You can download our ezeep logo here:


https://cdn.uc.assets.prezly.com/9718d77e-cb36-4ab2-9e2c-da3655bf8618/-/preview/400x400/-/quality/best/-/format/auto/ 

Click on next again to get to Step 4.

This will open the following screen to enter the Service Provider Details:


screenshot: enter your ezeep SSO details


To get these information, you need to create an ezeep Single Sign On configuration set in the ezeep portal. Open the ezeep portal in a new browser window.


2. Create a Single Sign On configuration set in ezeep

• Log in to your ezeep administrator account at https://portal.ezeep.com

• Click on your account (your email address / display name in our menu on the left)

• Under Single Sign On you will find the settings that you have set up (there should be none yet)

• Click on “Add SSO” and chose SAML 2.0

• A new popup will open with SAML settings


Our SAML settings include all basic settings that you need to set up for SAML to work properly. Enter your specific information and remember to save the settings:


screenshot: configure SSO settings in ezeep portal

Give the SSO configuration set a well suited name on the top of the popup (RENAME ME) and fill in the following fields:

Organization identifier


This is your Organization ID which is unique across our whole solution. Each SAML setting needs one Organization ID. It will be the organization code that your users will type in as Organization ID to be automatically forwarded to your custom Google login page.


It can also be accessed to automatically login to ezeep via Google by visiting this link:

https://accounts.ezeep.com/auth/signin/saml/{{ YOUR_ORGANIZATION_IDENTIFIER }}


Entity ID

The URL that Google provided you in the Google Admin Portal (Entity ID)


Identity Provider Login URL

The Login URL that Google provided you in the Google Admin Portal (SSO URL)


Login Binding type

Choose POST-Binding

Identity Provider Logout URL

This is the URL that we redirect the user to when the user actively wants to log out of a session in our portal.


Logout binding type

Choose Redirect-Binding


Identity Provider Certificate (Base64 encoded)

Pick the certificate that you downloaded from the Google Admin Console to the secure location.


After finishing the configuration click on save to store the configuration set.


screenshot: enter google SSO details


Now that your Single Sign On configuration set is created, you can click on XML and will automatically forwarded to an XML file. Find the following line on the bottom of the XML code (should be one of the last lines of code)


With the information from the XML file we can proceed in on the Google Admin Console.


3. Enter the correct Service Provider Details on the Google Admin Console


Now back at the Google Admin Console on Step 4: Service Provider Details we can enter the necessary information.


ACS URL

You can find the ACS (Assertion Consumer Service) URL in the ezeep configuration. For this, navigate on the ezeep portal to the Single-Sign on settings under account – Single Sign On. On this page, click on the XML link of the configuration (as described above):


screenshot: download settings XML


This will open a XML file. At the bottom of this file you will find the following line:


<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.ezeep.com/auth/saml/122629ef-08b1-4631-b46c-5dedbf08cb51/?acs" index="1"/> 


The full URL stored in Location= is the ACS URL that needs to be entered as the ACS URL (without the quotation marks) e.g.

https://accounts.ezeep.com/auth/saml/122629ef-08b1-4631-b46c-5dedbf08cb51/?acs 


Entity ID

https://accounts.ezeep.com/auth/saml/ 


Signed Response

needs to be unchecked


Name ID

Needs to be set to Primary email


Name ID Format

Needs to be EMAIL


Now your configuration will look like this


screenshot: verify google SSO details for ezeep


Click on next to proceed.


On the last step we need to create the mappings so that users can be automatically mapped to ezeep rules based on their department. When a user knocks on our portal login door with a SAML token, we consider the token and evaluate certain attributes from it and use them accordingly. These attributes need to identify the user and the ezeep groups the user should be a member of. This way we can directly make printers accessible to users based on the groups and policies that exist in your ezeep portal. Note: We will do a string comparison from the Department value in your Google organization with ezeep group names and assign the user to the according group. If you have a “Marketing” department in Google, you will need to create a matching “Marketing” group in ezeep.


Add three mappings by clicking “Add new mapping” and enter the following information for them:


http://schemas.microsoft.com/ws/2008/06/identity/claims/groups 

Employee Details, Department


first_name

Basic information, First Name


last_name

Basic information, Last Name


screenshot: configure attribute mapping for user imports


4. Activate the SAML application for everyone in Google Admin Console


• Open the Google Admin Console and navigate to Apps -> SAML Apps or open this link: https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS 


• Find the ezeep SAML app that we just configured

• On the right hand side click on the three dots menu and click on ON for everyone or ON for some – depending on who you want to give access to ezeep


screenshot: enable the ezeep SSO app in your google admin portal


When this is set up, the integration is set up and activated for your users in your Google Organization


5. Login as a user


After ezeep and the Google organization are linked via SAML, users can simply go to portal.ezeep.com and click on “Sign in with Organization ID” or go directly to https://accounts.ezeep.com/auth/signin/saml/ 


On this page users can enter the Organization identifier that was setup in the ezeep Single Sign On configuration set (In Step 2) and will be redirected automatically to your Google login page to authenticate. Alternatively you can provide a direct link in the following format:


https://accounts.ezeep.com/auth/signin/saml/{{ YOUR_ORGANIZATION_IDENTIFIER }}


screenshot: sign in to ezeep with organization ID