Configure SSO for Admin Console using Google Workspace as Identity Provider
Admin Console of NirvaShare comes with default in-built user store to support multiple admin users. It is also possible to configure Admin Console to use external Identity providers like Google Workspace, Active Directory, etc. In this document, we will configure Admin Console to use Google Workspace as Identity Provider, so that users from Google will be able to login to Admin Console using SAML 2.0.
As prerequisites you will need to have:
- Make sure NirvaShare is installed either on cloud or on premise. You can also directly install from AWS Marketplace or follow a Manual Installation
- Configure the Storage and User Application URL. For details check HERE
- Make sure proper domain name and SSL certificate is configured for Admin Console.
- You will require access to your Google Workspace as console administrator.
Google Workspace Configuration
- Login to Google Workspace admin console https://admin.google.com
- Click on Apps – >Web and mobile apps from the left menu tab.
- Click on Add custom SAML app
- In app configuration window, for the app name provide a name say NirvaShare-AdminConsole
- (Optional) For app icon, upload a image for NirvaShare
- Click on CONTINUE
- Once again click on CONTINUE
- This will open the screen for Service provider details
- For ACS URL enter https://<your domain>/saml/0/acs
- For Entity Id enter https://<your domain>/saml/0/metadata
For Example https://admin.yourcompany.com/saml/0/acs and https://admin.yourcompany.com/saml/0/metadata
- Click on CONTINUE
- In the next screen, click on FINISH
- In User Access page, make sure to give application access to users.
- Select ON for everyone in case if you want to give access to all users from the google workspace account.
- For selective user access, please make use of group or organization unit instead of ON for everyone. In such case, create a group or organization unit, assign only those users requiring access to the app.
- In User Access page, click on DOWNLOAD METADATA
- Download and store this metadata file in to your local file system and we will require this file content while configuring at NirvaShare Admin Console.
- Login to NirvaShare AdminConsole and click on Users & Roles tab.
- Edit the existing Default Role
- In the Access Settings, select the Full Access checkbox and click UPDATE. Later you can change the access to default logins.
- SSH to Linux terminal where NirvaShare is installed, create a file with the below path and filename. Make sure you login as root user.
- Add the following entries in to the file.
ns_external_idp=true ns_auto_create_user=true ns_saml2_sp_company_name= <Your company name> ns_saml2_sp_email=<your contact email id> ns_saml2_sp_domain_url=https://<adminconsole domain name>
- Make sure you replace with a proper values for attributes names
- Save the config.properties.
- Copy the IDP metadata file obtained from earlier section to here in same folder with filename as idp-metadata.xml as shown below.
- Restart Admin Console service using below command
docker restart nirvashare_admin
Now open Admin Console https://<your domain name> this will redirect to Google Workspace and perform SSO for authentication.