Identity Provider Integration III: Google

App details

• Enter an App Name, e.g. Matrix42 Silverback 
• Upload an App icon (optional)
• Press Continue

Google Identity Provider Details

• Click Download Meta 
• Press Continue

Service provider details 

• Enter as ACS URL your Silverback URL in the following format: https://silverback.company.com/sts/authorize/login
• Enter as Entity ID your Silverback URL in the following format silverback.company.com
• Enter as Start URL your Silverback URL in the following format https://silverback.company.com/ssp

Name ID

• Select as Name ID format EMAIL
• Select as Name ID Basic Information > Primary email
• Press continue

Attribute Mapping

• Press Finish
• Wait until the application creation is finished 

Grant Access

• Click on User Access to OFF for everyone
• Enable either ON for everyone or customize the Access to this application to Groups or Organisational units
• Press Save 

Import Metadata 

• Open your Silverback Management Console
• Login as Administrator 
• Navigate to Admin
• Navigate to Authentication Provider
• Click Import from File
• Select Choose File
• Select your previously downloaded Metadata file (GoogleIDPMetadata.xml)
• Click Open
• Click OK
• Click OK to save these changes
• Click OK to confirm

Try a Login as a Device User

• Open your Browser in Incognito Mode
• Open Self Service Portal 
• Check the SAML2 button appearance
• Click the SAML2 button
• You will be redirected to your Google Identity Provider
• Login with your credentials
• When everything went right, you should be logged it into Self Service Portal
• Take a device and perform an enrollment
• In case you have an active LDAP Connection in Silverback, please refer to Co-Existence with LDAP Connection
• Otherwise, please proceed with Identities 

Co-Existence with LDAP Connection

In case you connected Silverback with a LDAP Server, you might receive after pressing the Start (1) button inside the Self-Service Portal, an error that contains a warning that this user already has a pending enrollment request or that you are not authorised to access this system (2). The logic is that if a LDAP connection is available, Silverback checks first your LDAP server if the user is present to query additional LDAP Attributes for the user and to not create dynamically a new local user. To ensure the matching between your Identity Provider and the user in your LDAP Server and to let your users create a new pending enrollment, the value selected for Name ID must match with the comparer added in your LDAP User Filter (e.g. userPrincipalName={0}). The captured username from the Identity Provider login (your Name ID) is indicated after Welcome (3) and must match in the Co-Existence with the userPrincipalName of the user in your LDAP server. In case a Group Membership is set in the LDAP User Filter (MemberOf=), the user must be present in the select Group Membership, too. Please keep also in mind, that the LDAP user must have a valid Device Email Field information present. With the LDAP attribute Username, you can ultimately define in this scenario which user name the device will receive in Silverback.

Identities

• Navigate back to your Silverback Management Console
• Navigate to Users
• You should see now a new Username with your Identity Provider E-Mail and Username information
  • e.g. Username: tim.tober@imagoverum.com
  • e.g. Email: tim.tober@imagoverum.com

System User with SAML2

• Navigate to Admin
• Navigate to User Management
• Click New System User
• Enter a username 
• Enter as Email the E-mail used for your Idenity Provider (e.g. tim.tober@imagoverum.com)
• Create any password you like
  • Ensure to meet minimum requirements

• Select Role
• Select Language
• Click Save

Try a Login as System User

• Open your Browser in Incognito Mode
• Open Silverback Management Console
• Click the SAML2 Button
• You will be redirected to your Identity Provider
• Login with your Credentials
• When everything went right, you should be logged it into Silverback Management Console