Skip to content

Connecting SSO with G Suite

This guide covers the process of connecting the G Suite (Google) service as an identity provider to Wallarm, which acts as the service provider.

To fulfill steps, you need accounts with administration rights both for Wallarm and G Suite.

Step 1 (Wallarm): Activate SSO service

By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the Integrations section in Wallarm Console.

To activate the SSO service, contact the Wallarm support team.

Step 2 (Wallarm): Generate metadata

You need Wallarm metadata to enter on the G Suite side:

  1. In Wallarm Console, go to IntegrationsSSO SAML AUTHENTICATION and initiate the Google SSO configuration.

    Integrations - SSO

  2. In the SSO configuration wizard, at the Send details step, overview the Wallarm metadata, that should be passed to the G Suite service.

    Wallarm's metadata

    • Wallarm Entity ID is a unique application identifier generated by the Wallarm application for the identity provider.
    • Assertion Consumer Service URL (ACS URL) is the address on the Wallarm side of the application on which identity provider sends requests with the SamlResponse parameter.

  3. Copy metadata or save them as XML.

Step 3 (G Suite): Configure application

To configure application in G Suite:

  1. Log in to the Google admin console.

  2. Go to Apps.

    G Suite admin console

  3. Click SAML appsAdd a service/App to your domain.

  4. Click Setup my own custom app.

    Adding a new application to G Suite

    You will be provided with G Suite metadata:

    • SSO URL
    • Entity ID
    • Certificate (X.509)

  5. Copy metadata or save them as XML.

  6. Click Next.

    Saving metadata

  7. Enter the Wallarm's metadata. Required fields:

    • ACS URL = Assertion Consumer Service URL parameter in Wallarm.
    • Entity ID = the Wallarm Entity ID parameter in Wallarm.

  8. Fill in the remaining parameters if required, and click Next.

    Filling in service provider information

  9. Click Finish. You will be redirected to the page of the created application.

    Application page in G Suite

  10. Provide G Suite users with access to the created application by via Edit ServiceService statusON for everyone.

  11. Save the changes.

Step 4 (G Suite): Configure provisioning - part 1

The provisioning is an automatic transfer of data from SAML SSO solution (G Suite) to Wallarm: your G Suite users and their group membership define access to Wallarm and permissions there; all user management is performed on G Suite side.

For this to work, provide the attribute mapping:

  1. In G Suite application, via Add new mapping, map:

    • email
    • first_name
    • last_name
    • user group(s) to wallarm_roles tag

    SAML SSO solution - G Suite - Mapping

  2. Save the changes.

    Configuring provisioning will continue in step 6 on Wallarm side.

Step 5 (Wallarm): Enter G Suite metadata

  1. In Wallarm Console, in the SSO configuration wizard, proceed to the Upload metadata step.

  2. Do one of the following:

    • Upload G Suite metadata as an XML file.

      Metadata uploading

    • Enter metadata manually as follows:

      • SSO URLIdentity provider SSO URL
      • Entity IDIdentity provider issuer

      • CertificateX.509 Certificate

        Entering the metadata manually

Step 6 (Wallarm): Configure provisioning - part 2

  1. Proceed to the Roles mapping step.

  2. Map one or several SSO groups to Wallarm roles. Available roles are:

    • admin (Administrator)
    • analytic (Analyst)
    • api_developer (API Developer)
    • auditor (Read Only)
    • partner_admin (Global Administrator)
    • partner_analytic (Global Analyst)

    • partner_auditor (Global Read Only)

      See all role descriptions here.

    SSO groups to Wallarm roles - mapping in Wallarm

  3. Complete SSO configuration wizard. Wallarm will test if data to/from your G Suite can now be transferred.