mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
114 lines
3.8 KiB
Markdown
114 lines
3.8 KiB
Markdown
# Google Workspace SSO - Workflows
|
|
|
|
## SSO Configuration Workflow
|
|
|
|
```
|
|
1. PREPARE IDP
|
|
├── Create Google Workspace SAML application in IdP
|
|
├── Configure ACS URL: https://www.google.com/a/{domain}/acs
|
|
├── Configure Entity ID: google.com/a/{domain}
|
|
├── Set NameID to user email address
|
|
├── Map required attributes (firstName, lastName)
|
|
└── Download IdP metadata (SSO URL, certificate, entity ID)
|
|
|
|
2. CONFIGURE GOOGLE ADMIN CONSOLE
|
|
├── Navigate to Security > Authentication > SSO with third-party IdP
|
|
├── Enable third-party SSO
|
|
├── Enter Sign-in page URL from IdP
|
|
├── Enter Sign-out page URL from IdP
|
|
├── Upload IdP verification certificate
|
|
├── Enable domain-specific issuer
|
|
└── Save configuration
|
|
|
|
3. ASSIGN SSO PROFILE
|
|
├── Apply to entire organization OR
|
|
├── Apply to specific organizational units OR
|
|
└── Apply to specific groups
|
|
|
|
4. TEST
|
|
├── Test IdP-initiated SSO (login from IdP portal)
|
|
├── Test SP-initiated SSO (login from Google page)
|
|
├── Test sign-out flow
|
|
├── Test with user not in IdP (should fail)
|
|
└── Test break-glass Super Admin access (should bypass SSO)
|
|
|
|
5. ROLLOUT
|
|
├── Communicate changes to users
|
|
├── Apply to all organizational units
|
|
├── Monitor for authentication failures
|
|
└── Update help desk with troubleshooting guide
|
|
```
|
|
|
|
## User Authentication Flow (SP-Initiated)
|
|
|
|
```
|
|
User navigates to mail.google.com/a/{domain}
|
|
│
|
|
├── Google identifies federated domain
|
|
│
|
|
├── Redirect to IdP with SAML AuthnRequest
|
|
│ URL: {IdP SSO URL}?SAMLRequest={base64encoded}
|
|
│
|
|
├── User authenticates at IdP:
|
|
│ ├── Enter credentials
|
|
│ ├── Complete MFA challenge
|
|
│ └── IdP validates against directory
|
|
│
|
|
├── IdP generates SAML Response:
|
|
│ ├── Assertion with NameID (email)
|
|
│ ├── Authentication context (MFA)
|
|
│ ├── Digitally signed with IdP certificate
|
|
│ └── Optionally encrypted
|
|
│
|
|
├── Browser POSTs Response to Google ACS URL
|
|
│
|
|
├── Google validates:
|
|
│ ├── Signature against uploaded certificate
|
|
│ ├── Assertion not expired
|
|
│ ├── Audience matches entity ID
|
|
│ ├── NameID matches a Google Workspace user
|
|
│ └── InResponseTo matches original request
|
|
│
|
|
└── User logged in to Google Workspace
|
|
```
|
|
|
|
## Certificate Renewal Workflow
|
|
|
|
```
|
|
IdP signing certificate approaching expiration (30 days before)
|
|
│
|
|
├── Generate new signing certificate in IdP
|
|
│
|
|
├── Upload new certificate to Google Admin Console
|
|
│ (Google supports multiple verification certificates)
|
|
│
|
|
├── Promote new certificate as primary in IdP
|
|
│
|
|
├── Verify SSO still works with new certificate
|
|
│
|
|
└── Remove old certificate from Google Admin Console after confirmation
|
|
```
|
|
|
|
## Troubleshooting Workflow
|
|
|
|
```
|
|
User reports SSO failure
|
|
│
|
|
├── Check 1: Is user assigned to the Google Workspace app in IdP?
|
|
│ └── NO → Assign user in IdP
|
|
│
|
|
├── Check 2: Does NameID match user's Google email exactly?
|
|
│ └── NO → Fix attribute mapping in IdP
|
|
│
|
|
├── Check 3: Is the IdP certificate expired?
|
|
│ └── YES → Upload renewed certificate
|
|
│
|
|
├── Check 4: Is there clock skew between IdP and Google?
|
|
│ └── YES → Sync NTP on IdP server (max 5 min skew allowed)
|
|
│
|
|
├── Check 5: Is the SAML assertion properly signed?
|
|
│ └── NO → Verify IdP signing algorithm matches uploaded cert
|
|
│
|
|
└── Check 6: Check IdP SAML debug logs for detailed error
|
|
```
|