Configure SAML single sign-on with Google
You can configure your ExtraHop Command and Discover appliances to enable users to log into the appliance through the Google identity management service.
Before you begin
- You should be familiar with administrating Google Admin.
- You should be familiar with administrating ExtraHop appliances.
These procedures require you to copy and paste information between the ExtraHop Admin UI and the Google Admin UI, so it is helpful to have each UI open side-by-side.
Enable SAML on the ExtraHop appliance
- Log into the Admin UI on the Discover or Command appliance.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select SAML.
- Click Continue.
- Click View SP Metadata.
- Copy the ACS URL and Entity ID to a text file. You will paste this information into the Google configuration in a later procedure.
Add user custom attributes
- Log into the Google Admin console.
- Click Users.
-
Click the Manage custom attributes icon
.
- Click Add Custom Attribute.
- In the Category field, type ExtraHop.
- (Optional): Type a description in the Description field.
-
In the Custom fields section, enter the following
information.
- In the Name field, type writelevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- (Optional):
If you have connected Trace appliances, configure a second custom field with
the following information.
- In the Name field, type packetslevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- Click Add.
Add identity provider information from Google to the ExtraHop appliance
-
In the Google Admin console, click the Main menu icon
and select .
-
Click the Enable SSO for a SAML application icon
.
- Click SETUP MY OWN CUSTOM APP.
- On the Google IdP Information screen, click the Download button to download the certificate (GoogleIDPCertificate.pem).
- Return to the Admin UI on the ExtraHop appliance.
- Click Add Identity Provider.
- Type a unique name in the Provider Name field. This name appears on the ExtraHop appliance login page.
- From the Google IdP Information screen, copy the SSO URL and paste it into the SSO URL field on the ExtraHop appliance.
- From the Google IdP Information screen, copy the Entity ID and paste into the Entity ID field on the ExtraHop appliance.
- Open the GoogleIDPCertificate in a text editor, copy the contents and paste into the Public Certificate field on the ExtraHop appliance.
-
Choose how you would like to provision users from one of the following
options.
- Select Auto-provision users to create a new remote SAML user account on the ExtraHop appliance when the user first logs into the appliance.
- Clear the Auto-provision users checkbox and manually configure new remote users through the ExtraHop Admin UI or REST API. Access and privilege levels are determined by the user configuration in Google.
- The Enable this identity provider option is selected by default and allows users to log into the appliance. To prevent users from logging in, clear the checkbox.
- Click Save.
- Save the Running Config.
Thank you for your feedback. Can we contact you to ask follow up questions?