Configure SAML single sign-on with Google
You can configure your ExtraHop system to enable users to log in to the system through the Google identity management service.
Before you begin
- You should be familiar with administrating Google Admin.
- You should be familiar with administrating ExtraHop systems.
These procedures require you to copy and paste information between the ExtraHop Admin UI and the Google Admin UI, so it is helpful to have each UI open side-by-side.
Enable SAML on the ExtraHop system
- Log in to the Administration page on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select SAML.
- Click Continue.
- Click View SP Metadata.
- Copy the ACS URL and Entity ID to a text file. You will paste this information into the Google configuration in a later procedure.
Add identity provider information from Google to the ExtraHop system
-
In the Google Admin console, click the Main menu icon
and select .
-
Click the Enable SSO for a SAML application icon
.
- Click SETUP MY OWN CUSTOM APP.
- On the Google IdP Information screen, click the Download button to download the certificate (GoogleIDPCertificate.pem).
- Return to the Admin UI on the ExtraHop system.
- Click Add Identity Provider.
- Type a unique name in the Provider Name field. This name appears on the ExtraHop system login page.
- From the Google IdP Information screen, copy the SSO URL and paste it into the SSO URL field on the ExtraHop appliance.
- From the Google IdP Information screen, copy the Entity ID and paste into the Entity ID field on the ExtraHop system.
- Open the GoogleIDPCertificate in a text editor, copy the contents and paste into the Public Certificate field on the ExtraHop system.
-
Choose how you would like to provision users from one of the following
options.
- Select Auto-provision users to create a new remote SAML user account on the ExtraHop system when the user first logs in to the appliance.
- Clear the Auto-provision users checkbox and manually configure new remote users through the ExtraHop Admin UI or REST API. Access and privilege levels are determined by the user configuration in Google.
- The Enable this identity provider option is selected by default and allows users to log in to the ExtraHop system. To prevent users from logging in, clear the checkbox.
- Click Save.
- Save the Running Config.
Thank you for your feedback. Can we contact you to ask follow up questions?