Create Relying Party

1. From the SAML Websites tab of the Identity Provider Configuration Editor click the Create button.

2. Find the Relying Party configuration being created below and continue from there.

Example: Federating Google Apps

Create Relying Party for Google Apps

On the General tab of the Relying Party – default window:

1. Enter Google Apps into the Name field.

2. Enter Google Apps Relying Party into the Description field.

3. Click the Add button

1. Enter the google.com name and click OK

4. Choose the POST binding type.

5. Enter https://www.google.com/a/<your server>/acs into the Assertion Consumer URL field.Replace <your server> with your identifier for Google Apps.

6. Make sure the State field has a check mark in the Enabled box.

Skip the WS-Fed tab.

7. On the Identity Claims tab, choose the Domino LDAP store in the Attribute Store field.

8. Click the Create button:

1. Set the Name field to State AsNameID.

2. Put a check in the Send AsNameID? box.

3. Click thePre-defined Types button and select.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

4. Set the Value Type field to Direct Field.

5. In the Direct Field tab, set the Field Name field to st.

6. Also in the Direct Field tab, set the Value Index to 0.

7. Click Save.

9. Click the Create button a 2nd time and:

1. Set the Name field to State.

2. Uncheck the Send AsNameID? box.

3. Click thePre-defined Types button and select

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

4. Set the Value Type field to Direct Field.

5. In the Direct Field tab, set the Field Name field to st.

6. Also in the Direct Field tab, set the Value Index to 0.

7. Click Save.

10. On the IdP-Initiated tab:

1. Enter Google Apps in the Display Text field

2. Enter Mail, documents, etc. in the Help Text field.

3. Click the Choose Image button and choose the default.png image from the C:\inetpub\PortalGuard\SSO\img folder.

4. Check the IdP-initiated SSO not directly supported by RP box.

5. Enter https://www.google.com/a/<your server> into the Default URL field.Replace <your server> with your identifier for Google Apps.

11. On the Response tab:

1. Enter http://mail.google.com/a/<your server> into the Default Relay State field.Replace <your server> with your identifier for Google Apps.

2. Enter 2.0 in the SAML Version field.

3. Uncheck the Sign SAML Response? box.

4. Check the Sign SAML Assertion? box.

5. Uncheck the Override Token Timeout? box.

12. On the Authorization tab:

1. Click the Add button to enter individual user names, group names or containers who are allowed to use this relying party.These values are NOT case-sensitive.Leave the list empty for all users to have access.

2. Any user names must be the short name

3. Any LDAP groups must use the FULL distinguished name, e.g.: CN=Domain Users,CN=Users,DC=acme,DC=com

4. LDAP containers are specified using the following syntax: */user/acme/com

5. Click Save.

Configure Google Apps to Authenticate against PortalGuard

Log into Google Apps Admin Control Panel by navigating to www.google.com/a/<your_google_app_identifier> and select the Advanced tools menu.

1. Check the Enable Single Sign-on checkbox.

2. Enter https://<your_portalguard_server>/sso/go.ashxin the Sign-in page URL field.

3. Enter https://<your_portalguard_server>/_layouts/PG/signout.aspx Sign-out page URL field.

4. Enter

https://<your_portalguard_server>/_layouts/PG/login.aspx?ReturnUrl=%2fdefault.aspx&pgautopop=2 into the Change password URL field.

5. Click the Replace certificate link and supply the PGIdP.cer file created with openssl above.

6. Click the Save changes button.

7. Test access with the following URLs:

a. http://mail.google.com/a/<your_google_app_identifier>

b. http://calendar.google.com/a/<your_google_app_identifier>