- 02 Aug 2023
- 3 Minutes To Read
- Print
- DarkLight
- PDF
Using Google as your Identity Provider (IdP)
- Updated On 02 Aug 2023
- 3 Minutes To Read
- Print
- DarkLight
- PDF
Setting up Federated Authentication with Google
- Log in to Google Admin with an admin account and go to Apps > SAML apps
- Create a new application and select SETUP MY OWN CUSTOM APP.
- The next screen (Step 2 of 5) will contain information about the Google IdP. Copy the SSO URL, Entity ID and download the certificate from Option 1, because you will need them later. Select Next.
Fill in the Application Name and select Next
You'll now need to fill in the provider details:
- ACS URL and Entity ID: add a URL that points to the login endpoint of Mambu (for example
https://TENANT_NAME.mambu.com/saml/login
) - Start URL: leave blank
- Name ID: select Basic Information and Primary Email
- Name ID Format: select EMAIL
- Select NEXT
- ACS URL and Entity ID: add a URL that points to the login endpoint of Mambu (for example
Google will ask you to set up attribute mapping but you can skip this for now, we will cover this later when adding users and assigning roles
You can simply select FINISH and continue the setup in Mambu.
In Mambu, on the main menu go to Administration > Access > Federated Authentication select the Enable Sign Sign-On check box with the Manual Settings option selected as well.
Enter the Name you would like to use for your IdP
Enter the Single Sign-On Endpoint, this will be the SSO URL from the Google IdP
Enter the Certificate Fingerprint with the value of the following command:
openssl x509 -noout -fingerprint -sha256 -inform pem -in {/path/to/certificate-file.crt}
Do not forget to replace the placeholders above with the correct certificate name / path.
Enter the Issuer ID, this will be the Entity ID from the Google IdP
If an ACS URL is provided, it must match the ACS URL and Entity ID from Google IDP (this is optional and might be an URL pointing to a reverse proxy in case a specific tenant uses a private Mambu environment).
Select Test SSO Connection and enter the username and password of your Google account
In case of a successful setup, you can select Save Changes.
Restrict access to only certain users
In case you want to limit Mambu access to specific users, you can use Google organizational units, as described in How the organizational structure works and Tailor service settings for different users.
- In Google, go to Manage organizational units and create a new item (such as "support") under your current one.
- Go to Users and change the organizational unit for the desired users.
- Select your app from SAML apps and select Edit Service.
- On the panel from the left hand side, select Settings for specific organizational units.
For example, for "mambuqa.com", you can select OFF as Service status, whereas for "support" you can select ON. - Under the Status, you should see something like "ON for some"
- Go to Mambu and try to log in with a user that belongs to the "support" organizational unit. The login should be successful.
- If you try to log in with a user that is not included in the "support" organizational unit, you should get a 403 error message.
Add and assign roles
- From Directory /Users list select Manage custom attributes.
- Add custom attribute.
- From the Users list, select a user and select the User information panel.
- For the RoleID custom attribute, select Edit and add a value. Even though we can configure multi values, currently in Mambu only the first one will be used.
- Add new attribute mapping (in SAML Apps)
Branch Assignment
For each of your users, you must also define the branch they are assigned to in Google. For more information, see Managing Users under Federated Authentication - Branch assignment.
The following are the main steps to perform branch assignment using Google as your IdP:
- Create a custom attribute called
BranchID
.
- Associate the
BranchID
custom attribute to theBranchID
app attribute.
- Edit each user in your IdP to add the
BranchID
custom attribute to their profile and fill out the ID of the branch they are assigned to.