The Tuakiri Hosted IdP) runs a SAML Identity Provider (IdP) as a SAML proxy, facing Tuakiri as an IdP and facing an upstream IdP as a Service Provider (SP).
A Tuakiri Hosted IdP instance needs to be registered with the upstream IdP as a Service Provider - and also needs the metadata of the upstream IdP.
This page documents the steps required to register a Tuakiri Hosted IdP instance as a Service with Google Apps / GSuite.
These instructions are based on upstream documentation for registering a Custom SAML application and on experience actually following the instructions - however, the registration process changes over time, so please bear in mind these instructions might become outdated.
Before starting the process, you will need:
example.org
replaced by your organisations domain):
https://idp-test.example.org/idp/shibboleth
https://idp.example.org/idp/shibboleth
https://hosted-login.test.tuakiri.ac.nz/hosting/example.org/idp/profile/Authn/SAML2/POST/SSO
https://hosted-login.tuakiri.ac.nz/hosting/example.org/idp/profile/Authn/SAML2/POST/SSO
GSuite admin console as a number of popular service preconfigured - however, to add the SP side of a Tuakiri Hosted IdP instance, we will be adding a Custom SAML application.
Please repeat this process twice, separately for TEST and PROD registration.
From the Admin console Home page, go to Apps and then Web and mobile apps.
Click Add App and then Add private SAML app (can be also labelled Setup my own custom app) - do not select an application from the list.
On the App Details page, enter:
You should be presented with a Google IdP Information screen. Please download the IdP metadata and click Continue (or Next )
On the Service Provider Details screen:
Enter the ACS URL and Entity ID as per above
On the Attribute Mapping page, select all available information - this should at the very least include:
SAML Attribute Name | Category | Source Attribute |
Basic Information | Primary Email | |
givenName | Basic Information | First Name |
surname | Basic Information | Last Name |
and if desired can also include e.g.:
SAML Attribute Name | Category | Source Attribute |
phoneNumber | Contact Information | Phone Number |
address | Contact Information | Address |
When the mapping is complete, click Finish.
You also need to Enable the app for your users.
Once the registration is complete, confirm this to Tuakiri support and send through your IdP metadata - alongside with other information required on the Tuakiri Hosted IdP page.