20

I did setup my Google Apps for Work Unlimited account to act as SAML2 Identity Provider and register my web application as Service Provider (as explained in the links below). It works great, I can login into my app after login into google with a user. My problem now is that I need to grant that user access to resources based on its google role or group membership and cannot figure out how to send that membership information back to the service provider. It seems that I cannot use the Attribute Mapping function to map the "groups" user field. Anybody know if this is a Google Apps for Work Unlimited limitation>Should I be able to send the group membership in another way?. How?. I know role and group membership are totally different things. I just need a way to differentiate user privileges. Maybe you can think another way to differentiate them?. I need to know, for example, whether they are administrators or just users in Google Apps. How can i do that?

https://support.google.com/a/answer/6087519?hl=en

https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/

Claude
  • 8,806
  • 4
  • 41
  • 56
pabloelustondo
  • 2,196
  • 3
  • 19
  • 23

2 Answers2

3

I've been searching for this as well for a couple of days and all the references I found (ie: documentation for products that integrate with Google Apps SAML for SSO) state that is not supported by Google at this time and how everyone's also puzzled and frustrated about that.

The closest things I've found which are not ideal but work are to use some other field in the User definition, ie: Department as a role/group specification field that is enabled on the SAML configuration in Google Apps. Another alternative which seemed perhaps closer to what the real implementation of Groups in the SAML assertion would look like and it's actually referred as a solution "recommended by Google" (whatever that may mean) is to create a custom Schema and a custom Attribute you can populate for all of your users in the Google Apps directory which you can control as a multi-value list of "external" roles/groups they belong to in the externally facing system (so wouldn't be exactly what you're asking and what I need either, in case you strictly want the names of the Google Groups the user is in).

Anyways since you had no response on this thread or the forums I thought it was worth to point out all searched that brought people here and onto the other pages that reference this problem don't have a better solution than this unfortunately.

edit: Looks like yet another alternative, perhaps easier way to configure the same as the one mentioned above is to use "Custom Category" and associated "Custom Attributes".

tolache
  • 168
  • 1
  • 1
  • 12
Roberto Andrade
  • 1,793
  • 1
  • 21
  • 27
2

It appears that Google has finally introduced this feature, albeit in a Beta state.

https://support.google.com/a/answer/11143403?hl=en

thisdudeiknew
  • 65
  • 1
  • 8