EasySSO SAML with G Suite

Describes configuration necessary to integrate EasySSO with G Suite using SAML 

Unsupported Configurations

G Suite does not support Single Logout, so the following EasySSO configurations are not supported:

  • Logout Binding (Set the Logout Binding Type to disabled)
    • Sign SP Logout request
    • Sign SP Logout response
    • Verify Logout Request Signature
    • Verify Logout Response Signature

Google side

  1. Sign in into G suite admin portal, navigate to Apps > Web and mobile apps.
  2. Click "Add app" and select "Add custom SAML app" from the dropdown.
  3. Give your app a name (e.g. "EasySSO Jira") and continue. Optionally you can add a description and icon.
  4. We recommend downloading the metadata as the setup will involve fewer steps.

EasySSO side

The following steps are the bare minimum for setting up EasySSO with G Suite. For more complex setups look at EasySSO with SAML - Configuration after finishing this guide.

  1. On EasySSO inside the SAML section, go to the "Certificates" tab
  2. Next to "Load Metadata" select upload, upload the metadata downloaded from your G Suite app, generate an SP Signing Certificate, and press the save button at the bottom.
  3. On the "General" tab, you should see the "POST Binding URL" and the "Entity ID" have already been filled with the details from your G Suite app. 
  4. Check the "Sign SP Login Request" box.
  5. Below "Entity ID", "Your endpoint URL" corresponds with the "ACS URL" on your G Suite app. "Your entityID" corresponds with "Entity ID". Both should be copied to your G Suite app under "Service provider details".
    Both should be in the form https://<YOUR ATLASSIAN APPLICATION HOST>:<YOUR ATLASSIAN APPLICATION PORT>/<YOUR ATLASSIAN APPLICATION CONTEXT>/plugins/servlet/easysso/saml
    e.g. if you are running Jira on custom port 2990 and context /jira: https://testjira.mydomain.com:2990/jira/plugins/servlet/easysso/saml
    or if you running on the default HTTPS port 443 and no context: https://testjira.mydomain.com/plugins/servlet/easysso/saml
  6. Leave "Signed Response" unchecked.
  7. Leave "Name ID" as "Basic Information", "Primary Email".
  8. Leave "Name ID" Format as "UNSPECIFIED".
  9. Then click on "Continue".

Finish Google Side

  1. Add 4 mappings and fill them with the following:

    1. From the "Google directory attributes" drop-down list select "Primary Email" under "Basic Information" and enter "urn:oid:0.9.2342.19200300.100.1.3" in the corresponding "App attributes" text box.
    2. From the "Google directory attributes" drop-down list select "First Name" under "Basic Information" and enter "urn:oid:2.5.4.42" in the corresponding "App attributes" text box.
    3. From the "Google directory attributes" drop-down list select "Last Name" under "Basic Information" and enter "urn:oid:2.5.4.4" in the corresponding "App attributes" text box.
    4. From the "Google directory attributes" drop-down list select whatever you use for the user-id in Jira or Confluence, etc. Typically will be "Primary Email" again and enter "urn:oid:0.9.2342.19200300.100.1.1" in the corresponding "App attributes" text box.
  2. Click "Finish".
  3. Click User access to go to a menu that will let you enable the app for all users or select groups of users.

Configuring Users

For users to successfully log in, they must also have permission to access the application. See EasySSO SAML JIT User Provisioning for more details.


EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free