Variphy SAML with Google

Google Workspace offers reliable cloud based SAML Identity Provider. This article will discuss the setup in both Google Workspace (IdP) and Variphy (Service Provider) to enable SAML Authentication. You will need a browser tab pointing to your Variphy instance and also another pointing to your Google Workspace Admin portal to achieve this setup.

Variphy SAML Setup

  1. Login to Variphy as a System Administrator
  2. Browse to Settings > User Authentication > Single Sign-On
  3. Click Add > SAML
  4. Supply a config Name
  5. Uncheck ‘Strict’ Enforcement

Okta SAML Setup

Following this article, you will gain insight where/how to setup your Variphy SAML Application to the Google Identity Provider.

  1. Verify that you are logged into Google Workspace Admin Portal. If you are using the Developer Console, you need to switch over to the Admin Console. If you see < > Developer Console in the top left corner of your console, click it, then click Classic UI to switch.
  2. In the Admin Console, go to Apps > Overview.
  3. Click Web and mobile apps.
  4. On the new screen click Add App > Add custom SAML app.
  5. Supply an App name and an optional App icon (image)
  6. Click Continue.
Figure 1 – Google- Add Web SAML Application
Figure 2 – New SAML Application Name

1. IdP Metadata Info

Option 1 — Download IdP metadata.

Option 2 — Copy individual settings, supplied within the downloadable metadata file.

Figure 3 – Okta SAML General Settings

2. Service provider details

ACS URL — The location where the SAML assertion is sent with a POST operation. This URL is required and serves as the default ACS URL value for the Service Provider (SP). This URL is always used for IdP-initiated sign-on requests.

This should be in the format of –
https://Variphy FQDN or IP:8443/insight/sso/saml/acs

Audience URI (SP Entity ID) — The intended audience of the SAML assertion. This is usually the Entity ID of your application.

*NOTE* This can be named anything you would like, but must be unique and match the configured Entity ID on the Variphy Service Provider Settings, to be configured in just a minute.

Name ID format — The username format you are sending in the SAML Response. Consult the SP documentation to determine which format to use, but use the default (Unspecified) if the application does not explicitly specify a format.

Application username — The default value to use for the username with the application (Basic Information > Primary email.

Figure 4 – Google Service Provider SAML Settings
Figure 5 – Variphy’s SP SAML Settings

3. Attribute mapping

Attribute Mapping allows you to peogram the SAML response back to Variphy with a field-to-attribute mapping needed for login into Variphy. Select Add Mapping

Google Directory attributes – Select the Google attribute that you will want to bring into the SAML response. For this example we will use Primary email.

App attributes – Supply an attribute name that we will code into the Vatiphy SSO config. For the example we will type in the attribute email.

Click Finish.

Figure 6 – Okta Feedback

4. User Access to App

Click into your completed SAML application to allow users to access.

Select the User access section of the summary

To enabled this application for everyone in the domain click ON for everyone in the Service status box.

To enable this application for specific groups or Organizational Unity, you may search for, and select them on the left side of the screen

Figure 6 – SAML App User Access
Figure 7 -Access ON for everyone or Select Org Groups

5. IdP Settings in Variphy Config

In a previous step we either selected Option 1 to download the IdP metadata or Option 2 to see the IdP Service URLS, Entity ID, and .509 Certificate. We will now need that info to populate the SSO IdP config inside of Variphy.

  1. Identity Provider Entity ID Single Sign-On URL – Copy this custom Okta URL to be used in Variphy SAML config
  2. Identity Provider Sign-On Service URL – Copy this value and provide it within the IdP’s Entity ID to be used in the Variphy SAML config
  3. x.509 Certificate – Copy into the IdP Settings section of the Variphy SAML config.
  4. Name Attribute – Previously we associated the attribute mapping in Google Workspace. We will need to indicate teh attribute you assigned previously. In this example we used attribute called email.
Figure 8 – Variphy IdP Setting to match Okta provided info

Click Create to save your Variphy SSO configuration.

On the next screen click Activate your SAML configuration.

Figure 9 – Activate SAML Config

Once activated a prompt will appear, asking you to setup SSO Bypass. This allows the current signed-in ‘My Account’ to use a dedicated URL to be able to login locally in the event, that SSO in non-functional. Click ‘Allow My Account to Bypass Single Sign-On

Figure 10 – Allow My Account to Bypass SSO

***Note*** SSO ByPass URL is as follows”

https://Server IP or Hostname:8443/insight/login.jsp

Troubleshooting Tips

By-Pass Users

On the Variphy User or Variphy Group level in Variphy, you can define local users/groups that should be able to bypass SSO with the above mentioned link and sign in locally by selecting the ‘Allow Single Sign-On Bypass‘ checkbox.

Figure 11 – Allow SSO Bypass on Variphy User/Group
Invalid redirect to ACS URL

In the case that after authentication and redirect back to Variphy server you get a white screen, check your supplied ACS URL inside of Variphy’s metadata file. After saving your Variphy SSO config you may edit once more to retrieve the URL to download the metadata file.

Figure 12 – Metadata URL

When copying that URL into a browser it will download the Variphy metadata file. In that file you can confirm the ACS URL that should be used inside of the Google SAML app settings.

Updated on August 18, 2021

Was this article helpful?

Related Articles