# Connecting SSO with G Suite This guide covers the process of connecting the [G Suite](https://gsuite.google.com/) (Google) service as an identity provider to Wallarm, which acts as the service provider. To fulfill steps, you need accounts with administration rights both for Wallarm and G Suite. ## Step 1 (Wallarm): Activate SSO service By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console. To activate the SSO service, contact the [Wallarm support team](https://support.wallarm.com/). SSO with [provisioning](#step-4-g-suite-configure-provisioning-part-1) will be suggested by default: * No users will be able to authenticate with login and password after enabling. Request fallback account if necessary - it will retain login/password enter. * No users can be disabled or deleted from Wallarm side. * If you have [multiple tenants](https://docs.wallarm.com/installation/multi-tenant/overview.md), with Okta, you can use the [tenant dependent permissions](https://docs.wallarm.com/admin-en/configuration-guides/sso/intro.md#tenant-dependent-permissions) option, make decision on that together with Wallarm support. ## Step 2 (Wallarm): Generate metadata You need Wallarm metadata to enter on the G Suite side: 1. In Wallarm Console, go to **Integrations** → **SSO SAML AUTHENTICATION** and initiate the **Google SSO** configuration. ![Integrations - SSO](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/sso-integration-add.png) 1. In the SSO configuration wizard, at the **Send details** step, overview the Wallarm metadata, that should be passed to the G Suite service. ![Wallarm's metadata](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/sp-metadata.png) * **Wallarm Entity ID** is a unique application identifier generated by the Wallarm application for the identity provider. * **Assertion Consumer Service URL (ACS URL)** is the address on the Wallarm side of the application on which identity provider sends requests with the SamlResponse parameter. 1. Copy metadata or save them as XML. ## Step 3 (G Suite): Configure application To configure application in G Suite: 1. Log in to the Google [admin console](https://admin.google.com). 1. Go to **Apps**. ![G Suite admin console](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/gsuite-console.png) 1. Click **SAML apps** → **Add a service/App to your domain**. 1. Click **Setup my own custom app**. ![Adding a new application to G Suite](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/gsuite-add-app.png) You will be provided with G Suite metadata: * **SSO URL** * **Entity ID** * **Certificate** (X.509) 1. Copy metadata or save them as XML. 1. Click **Next**. ![Saving metadata](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fetch-metadata.png) 1. Enter the Wallarm's metadata. Required fields: * **ACS URL** = **Assertion Consumer Service URL** parameter in Wallarm. * **Entity ID** = the **Wallarm Entity ID** parameter in Wallarm. 1. Fill in the remaining parameters if required, and click **Next**. ![Filling in service provider information](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fill-in-sp-data.png) 1. Click **Finish**. You will be redirected to the page of the created application. ![Application page in G Suite](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/gsuite-app-page.png) 1. Provide G Suite users with access to the created application by via **Edit Service** → **Service status** → **ON for everyone**. 1. Save the changes. ## Step 4 (G Suite): Configure provisioning - part 1 The **provisioning** is an automatic transfer of data from SAML SSO solution (G Suite) to Wallarm: your G Suite users and their group membership define access to Wallarm and permissions there; all user management is performed on G Suite side. For this to work, provide the attribute mapping: 1. In G Suite application, via **Add new mapping**, map: * `email` * `first_name` * `last_name` * user group(s) to `wallarm_roles` tag ![SAML SSO solution - G Suite - Mapping](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/simple-sso-mapping.png) 1. Save the changes. Configuring provisioning will continue in [step 6](#step-6-wallarm-configure-provisioning-part-2) on Wallarm side. ## Step 5 (Wallarm): Enter G Suite metadata 1. In Wallarm Console, in the SSO configuration wizard, proceed to the **Upload metadata** step. 1. Do one of the following: * Upload G Suite metadata as an XML file. ![Metadata uploading](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/sp-wizard-transfer-metadata.png) * Enter metadata manually as follows: * **SSO URL** → **Identity provider SSO URL** * **Entity ID** → **Identity provider issuer** * **Certificate** → **X.509 Certificate** ![Entering the metadata manually](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/gsuite/transfer-metadata-manually.png) ## Step 6 (Wallarm): Configure provisioning - part 2 1. Proceed to the **Roles mapping** step. 1. Map one or several SSO groups to Wallarm roles. Available roles are: * `admin` (**Administrator**) * `analytic` (**Analyst**) * `api_developer` (**API Developer**) * `auditor` (**Read Only**) * `partner_admin` (**Global Administrator**) * `partner_analytic` (**Global Analyst**) * `partner_auditor` (**Global Read Only**) See all role descriptions [here](https://docs.wallarm.com/user-guides/settings/users.md#user-roles). ![SSO groups to Wallarm roles - mapping in Wallarm](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png) 1. Complete SSO configuration wizard. Wallarm will test if data to/from your G Suite can now be transferred.