jay_mandl1.44301312161825E12

Using Google Apps for Work for AtomSphere SSO

Blog Post created by jay_mandl1.44301312161825E12 Employee on Sep 26, 2016

If you want to use Google Apps for Work to control end user access to the AtomSphere platform via single sign-on (SSO), this post will cover setting up AtomSphere as the Service Provider (SP) using Google Apps as the Identity Provider (IdP) and configuring a service provider initiated login. As a primer to this post, it may be a good idea to get familiar with the basics of single sign-on (SSO) and the methods AtomSphere uses to enable this (Single sign-on with SAML).


 To set up SSO between AtomSphere and any IdP, your AtomSphere account must have the Advanced User Security feature. This is currently offered with the Enterprise or Enterprise Plus editions and as an add-on to the Professional and Professional Plus Editions. You will also need a Google Apps for Work instance set up with a registered domain, and Superuser privileges to complete the instructions below.

 

To start, log into your AtomSphere Account with Administrator privileges and go to Account menu > Setup > SSO Options.

 

Check the box to "Enable SAML Single Sign-On" to bring up the following screen:

 

Screen capture of Boomi SSO Setup

 

Copy the "AtomSphere Login URL" and paste it to a notepad for later use. Leave this screen open and open a new browser tab.

 

Google SAML App Setup

In that new browser tab, log into Google Apps for Work with administrative (Super User) privileges. At the home screen, go to “Apps”, then click on “SAML Apps”. If this is your first SAML app, click on “Add a Service/App to your domain”. If you have apps already configured, click on the Plus icon at the bottom right to add a new App.

 

This will bring up the SAML App wizard.

 

Step 1. Enable SSO for SAML Application

         Click on “SETUP MY OWN CUSTOM APP” at the bottom of the dialog box.

 

Google IdP Setup Step 1

 

Step 2. Google IdP Information

         Under "Option 1", copy the "SSO URL" and paste it to notepad, also download the certificate for later use.

         Click Next

 

Google IdP Setup Step 2

 

Step 3. Basic Information for your Custom App

         In the "Application Name" section, choose a unique name - "Boomi" for example.

         Click Next

 

Google IdP Setup Step 3

 

Step 4. Service Provider Details

         In both the "ACS URL" and "Entity ID" fields, paste the "AtomSphere Login URL" that you obtained from          AtomSphere.

         Click Next

 

Google IdP Setup Step 4

 

 

Step 5. Attribute Mapping

         No mappings are necessary.

         Click Finish

 

That will bring up a confirmation message and a reminder to go back to Boomi to finish with the SSO setup.

 

The following screen will now display your SAML App named "boomi". You may notice that the default state of this SSO app is "Off". Click on the three dots (Google Menu) to enable it for all users or individually selected organizations.

 

Google IdP Setup Step 5

 

Setting up the IdP with Google is now complete--but we're not finished yet.

 

AtomSphere Service Provider Setup

Go back to the AtomSphere browser tab to finish configuring AtomSphere as the Service Provider.

 

Step 1.  Locate the .pem file that we downloaded from Google in Step 2 of the "Google SAML App Setup" section above. It should be called something like "GoogleIDPCertificate-{domainName}.com.pem". Rename that file's extension from ".pem" to ".cer". (GoogleIDPCertificate-{domainName}.com.cer). Click Import, then Choose File and navigate to the "GoogleIDPCertificate-{domainName}.com.cer" certificate. Select that file then click Finish. You should now see some information on the SSO setup screen detailing the certificate if successfully imported.

 

Step 2.  In your notepad session, find the "SSO URL" from Google in Step 2 of the "Google SAML App Setup" section above and paste it into the "Identity Provider Login URL" 

 

Step 3. Click the button next to "Federation ID is in NameID element of the Subject".

 

Step 4. Click Save.

 

Screen capture of Boomi SSO Setup

 

AtomSphere User Provisioning and Setup

The SSO only handles the login and user session. The individual user needs to be added to the AtomSphere account before he can login. Creating an SSO-enabled or federated user is the same as creating a regular user but with an additional Federation ID value.

 

Within Setup, go to User Management and click "+" to add a new user. Fill out the following fields:

  1. Email Address - This must correlate to user on your Google Apps for Work domain
  2. First and Last Names
  3. Federation ID - The Federation ID and the Email Address are the same in this setup
  4. Role - Remember users with the Administrator can still log in directly without SSO
  5. Click OK

 

Screen capture of Boomi SSO Setup

 

 

Testing and Validation

To test this it is recommended that you use a new browser. Alternatively, open a new incognito window or create and use a new profile in Chrome so that you start a brand new session, and you're not logged in with the session you already have established.

 

The URL to test the SSO configuration would be something like this:

 

https://platform.boomi.com/AtomSphere.html#build;accountId=dellboomijay-123XYZ

 

Replace "dellboomijay-123XYZ" in the above URL example with your AtomSphere Account ID. That should redirect you to the Google Login page. Enter your Google credentials here:

 

Google Redirect

 

It will now log you into AtomSphere with your Google credentials.

 

Considerations

  • If you attempt to log into Boomi using the standard URL (https://platform.boomi.com) with a user that has been configured with SSO, it will not allow you to log in and you will receive a message stating that the user must use SSO to log in.
  • As mentioned above, Administrator users are not restricted to SSO and can log in directly at https://platform.boomi.com using their AtomSphere credentials.
  • If the user utilizes Google Chrome and is already signed into Google, the login will happen automatically and does not have to login again.
  • A user configured with SSO in one AtomSphere account cannot be added to another AtomSphere account and use his Google credentials to access/switch between accounts. If this is configuration is needed, a new SAML App will need to be created in Google and the second AtomSphere account will need to be configured for SSO and the user setup with the different federation ID. Basically following these instructions from the top and utilizing the new URL for the new account.

Outcomes