Skip to content

Google Workspace setup

Jump to bottom Edit New page
Edoardo edited this page Aug 18, 2021 · 3 revisions

Google Workspace - Munkireport SAML Configuration

In Google Workspace Admin

  1. Visit https://admin.google.com/ac/apps
  2. Click "Web and mobile apps"
  3. Click "Add App" --> "Add custom SAML app"
  4. Enter a name, e.g. "Munkireport" and click "Continue"
  5. Download the IdP Metadata, or make note of the following information as this information needs to be added to your Munkireport server configuration:
    1. SSO URL (e.g. https://accounts.google.com/o/saml2/idp?idpid=C01abcdef)
    2. Entity ID (e.g. https://accounts.google.com/o/saml2?idpid=C01abcdef)
    3. Certificate
  6. Click "Continue"
  7. Enter the ACS URL for your Munkireport instance (e.g. https://munkireport.domain.com/auth/saml/acs)
  8. Enter the Entity ID for your Munkireport instance (e.g. https://munkireport.domain.com/auth/saml/metadata)
  9. Change the "Name ID format" to EMAIL
  10. You can leave all other settings the same and click "Continue"
  11. Click "Add Mapping" and add the following:
    1. User Mapping attribute which can be used when allowing specific users:
      1. Field: "Basic Information" --> "Primary email"
      2. App attributes: Enter "email"
    2. (Optional) Group Mapping attribute which can be used when allowing specific groups of users:
      1. Field: This will be dependent on your needs and Google setup. You could map a custom attribute, or something like "Employee Details" --> "Department" if you were scoping access based on a Department
      2. App attributes: This will again be dependent on the field you chose above. It should logically map to the attribute chosen. For something like the "Department" field, you can name this "department"
  12. Click "Finish"

In your config file

In your Munkireport .env file add:

AUTH_METHODS=SAML
AUTH_SAML_SP_NAME_ID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
AUTH_SAML_IDP_ENTITY_ID=<Entity ID from your Google SAML app>
AUTH_SAML_IDP_SSO_URL=<SSO URL from your Google SAML app>
AUTH_SAML_IDP_SLO_URL=https://accounts.google.com/logout # this value is the same for all Google SAML apps
AUTH_SAML_IDP_X509CERT=<YOUR CERTIFICATE>
AUTH_SAML_USER_ATTR=email

An Opensource project

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Clone this wiki locally