×

IDMWORKS Blog

How To Integrate Google Suite (G Suite) With Access Manager (OAM) as an Identity Provider (IdP)


When I went to implement a federated single sign-on (SSO) between Oracle Access Manager (OAM) and Google Suite (G Suite) where OAM was going to act as my identity provider (IdP) and G Suite my service provider (SP), I figured that it was going to be a fairly painless process, given the standard configuration options that most federated enterprise single sign-on applications require (i.e. exporting and exchanging of metadata, attribute mapping, etc…)

However, I found it a little different if you want to use G Suite as an IdP, as opposed to configuring G Suite as a SP. This is mainly because there’s more detail available on how to implement G Suite as an IdP, than a SP. If you’re not very familiar with SSO with G Suite, the options provided for setting up a third party IdP (although it may seem straightforward), can leave you puzzled, especially since there’s not an explicit option to export G Suite SP metadata or import IdP metadata from a third party.

Despite the limited options available for setting up a third party IdP in G Suite, I was able to successfully configure SSO using OAM as an IdP and G Suite as a SP through some trial and error. The following describes my base configuration and setup. You may find this to be a useful reference.

Access Manager (OAM) as the Identity Provider (IdP)

Login in as your Google Admin user (http://admin.google.com). Select the “Security” option

Under Security, select the “Set up single sign-on (SSO)” option

Select the checkbox, Setup “SSO with third party provider”

Provide the following:

Sign-in page URL: URL to initiate Federation sign-in to Google Suite with OAM (e.g. http://[HOSTNAME]:[PORT]/oamfed/idp/initiatesso?providerid=google.com&returnurl=https://accounts.google.com)

Sign-out page URL: Logout page for Federation sign-out from OAM (e.g. http://[HOSTNAME]:[PORT]/fed/user/logout)

Change password URL: Leave Blank

Verification Certificate: Upload certificate exported from the OAM keystore (Note: The certificate file must be a X.509-formatted certificate with an embedded public key. The certificate is contained in the .oamkeystore. This keystore can be found by logging into OAM admin console under Configuration -> Settings -> View Federation -> Federation Settings).

Keystore location:

To export this certificate from the OAM keystore, do the following from the OAM server:

Extract certificate from OAM keystore

Before you connect to the keystore, you need to know the OAM keystore password. Recover the OAM keystore password by doing the following from this blog post:

http://weblogicscripting.blogspot.com/2016/02/how-to-retrieve-oamkeystore-password-in.html

Upon retrieving the OAM keystore password, export the certificate using the following java keytool command:

./keytool -exportcert -alias “stsprivatekeyalias” -storetype JCEKS -keystore /app/oracle/admin/domain/aserver/OAMDomain/config/fmwconfig/.oamkeystore > oam.cert

(Note: The alias used for the Signing and Encryption Key called “stsprivatekeyalias”. This alias is the keystore reference to the certificate and we need this in order to export the certificate file.)

Upload the oam.cert file (verification certificate) into Google Suite

Click Save.

Google Suite as the Service Provider (SP)

Under Set up single sign-on (SSO) in the Google Admin, click on DOWNLOAD CERTIFICATE under Certificate 1.  (NoteSave certificate to be uploaded to OAM as part of the Google Suite SP configuration)

Log into OAM Admin console. Click on the Federation Option. Click on the Identity Provider Management

Create a new Service Provider Partner. Fill out the following:

General

Name: Same as the Service Provider (e.g. Google Suite. Make sure enable partner is checked)

Service Information

Service Details: Select Enter Manually radio button

Provider ID: google.com

Assertion Consumer URL: https://www.google.com/a/[your G Suite Domain]/acs

Logout Request URL: http://[OAMHOST:PORT]/ oamfed/idp/ initiatesso?providerid=google.com &returnurl=https://accounts.google.com

Signing Certificate

Load Signing Certificate: Upload certificate downloaded from Google Suite

NameID Format

NameID Format: Email Address

NameID Value: User ID Store Attribute: uid

Click Save/Apply

Single Sign-On with Google Suite

Federate to Google Suite (http) using the following URL:

http://OAM_HOST:PORT/oamfed/idp/initiatesso?providerid=google.com&returnurl=https://accounts.google.com

 

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *