Protect Google Workspace with eID MFA
Authenticate to Google Workspace (including Education), using Swedish BankID as the authentication method.
Last updated
Authenticate to Google Workspace (including Education), using Swedish BankID as the authentication method.
Last updated
In this use case there is one scenario:
MFA authentication to Google Workspace. In this scenario you will login using your BankID. Integrity web will perform a lookup against Google to fetch the user object, using the identifier from the eID as key (in this scenario the social security number from the BankID eID). The primary email value will be taken from the user object and added to the token (SAML assertion) which will be passed back to Google for user verification.
Google Workspace is a set of tools for organizations provided by Google, such as mail, drive, classroom, education and more.
This scenario could easily be copied and modified to fulfill:
Using other eID methods to authenticate to Google Workspace, such as SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS), eduID, Suomi.fi.
FortifiedID Integrity Web current version installed
BankID certificate. To be able to communicate with bankid backend.
Google Workspace administration rights.
Host (DNS) name of the Integrity service (external access)
Social security number (personnummer) stored on a custom Google Workspace user object. The schema and attribute name holding the value is also required.
Outgoing TCP/443 communication. To be able to communicate with BankID backend and Google Workspace services.
Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.
Download ZIP containing configuration for Web
Click USE_CASE_LINK to download customer folder for Web.
Add Integrity WEB configuration to your environment.
Rename the existing customer folder to customer_ORG. Add the customer folder to your \..\fortifiedid\web\ folder.
Setup the Google Workspace configuration using this guide.
The downloaded folders contains all information needed. For example, a test certificate and metadata files are included. However, some data needs to be changed to map your environment. Also the http ports might need to be changed if they are not available in your environment.
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
Open the file customer/config/globals.json. Change according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be: "base_dir": "../customer"
For Docker, the value should be: "base_dir": ".",
host Set the host value to your Integrity Web DNS name entry, including https://.
http
Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.
keystore - https
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
Find in section: keystore
keystore - bankid
For connecting against BankID test environment, you don't need to do anything. For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed. Find in section: keystore
keystore - saml The keystore used to sign SAML assertions. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.
Save the globals.json file.
Open customer/config/resources_internal/saml_sp_metadata_files/sp_google.xml
Replace YOUR_DOMAIN with your google domain. (Example: fortifiedid.se)
Save the file
Start the Integrity web service and verify the start by looking through the server.log file.
Open a web browser and browse to https://<integrity_web_host>/saml/metadata/integrity_idp_google
Open the downloaded file in a text editor
Copy these values:
SingleSignOnService->Location. (Sign-in page URL)
SingleLogoutService->Location. (Sign-out page URL)
Extract the certificate (public) from the keystore used for IdP token signing:
Get the keystore file pointed to in globals.json (keystore->saml->path)
Extract the certificate to a file using any tool of your choice (openSSL, keystore explorer, windows cert.mmc, keytool)
Follow these instructions -> Configure the SSO profile for your organization.
Add the Sign-in page URL fetched in previous step
Add the Sign-out page URL fetched in previous step
Upload the certificate fetched in previous step
Select to use a domain-specific issuer
Skip Change password URL
(This page instructs you how to apply the third party IdP to a subset of users or all users, depending on your setup and requirements).
Browse to https://mail.google.com and enter your email address, or browse to the domain-specific url https://mail.google.com/a/<your_domain>.
You should be redirected to the IdP
Authenticate with BankID
You should be redirected back to Google with a SAML assertion.
You should now be logged in to Google.
Check server.log file to find errors. Fix accordingly.
The config.json of Web can be found in the associated zip-file in this use case.
