In this tutorial we'll configure a SAML application in Google to allow users in your G Suite account to authenticate (and provision) into your FireHydrant organization.
You'll need to have access to configuring SAML applications in your Google Admin panel. You'll also need the role of "Owner" on FireHydrant to enable SSO for your account.
Creating the SAML Application
Head to the SAML Apps portion of the Google Admin panel. Once here, click the yellow "+" sign in the bottom left.
After clicking that, a dialog will appear with a list of available applications in Google, FireHydrant needs to be added a custom application at this time to enable SSO in Google however, so we need to click "Setup My Own Custom App" button.
Google will then display a wizard to setup our SAML application that authenticates to FireHydrant. Open a new tab in your browser and head to the SSO page of FireHydrant by going here: https://app.firehydrant.io/organizations/sso/settings/edit
You'll need to click the "Enable SSO" checkbox, which will then display 3 additional fields for our SAML configuration we'll be taking from the other tab with on Google.
Back on the Google tab, you should see an SSO URL and Entity ID displayed, copy the SSO URL into the "Login URL" field in FireHydrant. Then copy the "Entity ID" field on Google into the "IdP Issuer" field on FireHydrant.
After you've copied these 2 fields in FireHydrant, download the certificate that Google has generated, from here you'll need to open the file in a text editor to grab the contents of the file. Once you have the certificate opened in your text editor, copy the entire contents of it and paste it into FireHydrant's field for "IdP X509 Certificate".
You can see from here that we've also added a domain for "firehydrant.io". What this enables is a helpful message when people attempt to login using a email / password combination when you've enabled SSO for your organization.
Go ahead and click "Save" on FireHydrant.
Back on Google, continue to the 3rd step. For the application name you can use "FireHydrant" (this is what users will see in their dashboard of Google when logging in). You can also type in "Super awesome incident response software", your prerogative. 😃
On the next screen, you'll be asked for information on where Google will send users when they authenticate and the information to include.
For the "ACS URL" field, enter in https://app.firehydrant.io/sso/saml/consume. You can use this same value for the Entity ID field as well.
Check off "Signed Response".
Make sure "Primary Email" is selected for the Name ID section, this is how we'll automatically create accounts or login existing users into FireHydrant.
For the Name ID Format field, select "Email".
On the last step of the setup, you'll be asked for any attribute mappings you'd like to include when users are sent to FireHydrant. These are optional, but we recommend setting the first and last name attributes so when users are provisioned their names are automatically set correctly in FireHydrant.
Click "Finish" 🎉
After you've added the application, you'll need to enable it and grant the appropriate users in your Google account access to FireHydrant. After you've done that, you'll have SSO enabled for your organization!
Issues? contact firstname.lastname@example.org