Google Workspace Integration Example

This example describes how to integrate Google Workspace as a SAML identity provider (IdP) for an Oxide silo. It assumes that you have a Google Workspace domain with admin access, as well as access to the Oxide Console with fleet admin permissions.

Create SAML App in Google Admin Console

  1. Log in to the Google Admin Console using a web browser.

  2. Navigate to Apps > Web and mobile Apps > Add app > Add custom SAML app and proceed through the wizard to create a new SAML app.

  3. In the "Google Identity Provider details" section, download the IDP metadata file, and save the Entity ID for later use.

  4. In the "Service provider details" section, set the ACS and Entity ID fields to the following values:

    1. ACS URL: https://$SILO_NAME.sys.$RACK_FQDN/login/$SILO_NAME/saml/google

    2. Entity ID: https://$SILO_NAME.sys.$RACK_FQDN/login/$SILO_NAME/saml/google

    3. Start URL (optional): Same as ACS URL

    4. Name ID Format: Unspecified

    5. Name ID (value): Basic Information > Primary Email

  5. In the Attributes Mapping section, create whichever attributes that you’d like to map to Oxide. At minimum, you’ll want to map a group attribute in order to pass on the user’s group membership.

Assign Users and Groups

Now that the SAML app is created, assign users or groups to the app in the Google Admin Console.

Configure Oxide Silo and Identity Provider

Create Silo in Oxide

In the Oxide Console:

  1. Navigate to System > Silos and create a new silo.

    1. Silo Name: Must match the name you used in the Google SAML configuration.

    2. Admin Group Name: Must match the group name in Google (e.g., admins).

  2. Upload a TLS certificate valid for the silo domain.

Create Identity Provider in Oxide

In the silo’s Identity Provider tab, click New Provider and populate each field. See below for an example using the silo name corp and the domain oxide.acme.com:

FieldValue

Provider Name

"google" (or some descriptive name)

Description

"Corporate silo google SAML provider"

Entity ID

This value corresponds to the Entity ID in the Google Identity Provider details section of the SAML app creation wizard, and should take the form https://accounts.google.com/o/saml2?idpid=$IDP_ENTITY_ID;.

Service provider client ID

"corp" (silo name)

Metadata source

Import the IDP metadata file (GoogleIDPMetadata.xml) from earlier.

ACS URL

https://corp.sys.oxide.acme.com/login/corp/saml/google

SLO URL

https://corp.sys.oxide.acme.com/login/corp/saml/google

Technical contact email

infra@acme.com

Group attribute name

"admins"

Signing Keypair

Provide in Base64-encoded DER format.

Log in to Oxide

After configuring the identity provider, log in to your Oxide Silo using the Google SSO button.

Tip
If login issues occur, check that the group attribute in the Admin Console matches the Admin Group Name in Oxide, and that the SAML assertion from Google includes the group attribute.

Additional Resources