GOOGLE PORTAL:
Create Google SAML App
Apps > Web and Mobile Apps > Add App > Add Custom SAML App:
Copy and save the following items:
- Entity ID
- SSO URL
- Certificate
Do not close current browser tab with Google Admin Console.
MIST DASHBOARD
Navigate to Organization > Settings > Single Sign-On > Add IdP
Paste previously copied Entity ID, Certificate and SSO URL as outlined in the screenshot below:
Copy ACS URL and hit Save:
BACK TO GOOGLE ADMIN CONSOLE
Paste ACS URL into the ACS URL and Entity ID fields, check Signed Response and set Name ID format as EMAIL, then click Continue:
In the next step enable sending FirstName and LastName attributes as follows. Also add the group attribute, you can select any groups in Google directory that are allowed access to Mist dashboard and send it as Role attribute. You can then determine what level of access you should grant to each selected group. In our test scenario we are only sending Role if a user is part of “IT superusers” group.
Once you click Finish in the above step, navigate to User Access section and assign this App to desired groups of users:
Find desired groups on the left hand side, set service status to ON and then Save:
BACK TO MIST DASHBOARD
Under Org Settings create SSO Role to match Roles that will be sent back from Google. In our example we only have one Role – “IT superusers”
VERIFICATION
IDP Initiated Login
To perform an IDP initiated login, open Google apps on the top right corner of the screen and select Mist Cloud Admin SSO app from the list:
SP Initiated Login
To perform an SP initiated login, navigate to Mist dashboard at https://manage.mist.com and login using your Google Credentials.
Note: Each Google user will have to use IDP Initiated login at least once in order for SP initiated login to work.