3.2.1.3.1.1.4 Google Workspace/GSuite

This section shows you steps to integrate with GSuite for SDP end-users authentication into OPSWAT Client.

These instructions assume that the OPSWAT client is installed, and that your device is part of a MateAccess group with SDP enabled.

Please note: Google estimates that any changes made via the Admin Console can take up to 24 hours to propagate. If your changes do not take effect after 24 hours, please contact Google Support.

  • Log in to your Google admin console and click on “Security” > “Context-Aware Access”.

  • Click Access Levels, then “CREATE ACCESS LEVEL”.
    images/download/attachments/5277325/01-create-access-level.PNG

  • Give the new rule a name, like “MetaAccess SDP Gateway” and click “Continue”.
    images/download/attachments/5277325/02-name.PNG

  • Ensure the “Meets these conditions” radio button is selected, and click “Add attribute”.

  • From the left side pick menu, choose “IP Subnet”. On the right, enter the outside IPs of your MetaAccess SDP Gateways, comma-delimited.

  • If you are using the OPSWAT Hosted Gateway, enter the single IP, 52.14.220.48 instead.
    images/download/attachments/5277325/03-add-gateway-ip.PNG

  • Click “Create Access Level”. You should see a green check next to “You've created an access level“.
    images/download/attachments/5277325/04-success.PNG

  • Go back to the main Admin interface and click on “Security” > “Context-Aware Access” > “Assign Access Levels”.

  • Check the selection box to the left of the apps you want to control.

  • Important: For initial testing we recommend selecting a single app that’s not critical to your operations. Once we verify connectivity to that app, you can come back to this interface and add the Access Level to other apps at your convenience.
    images/download/attachments/5277325/05-app-assignment.PNG

  • Click “Assign” at the top of the app list, then choose the Access Level you want to apply and click “Save”.
    images/download/attachments/5277325/06-app-assignment-2.PNG

  • In the “Access Levels” column, you should now see your new Access Level applied to the app(s) of your choice.

  • Go back to the main Admin interface and click on Apps, then SAML Apps. images/download/attachments/5277325/01-01-admin-console.PNG images/download/attachments/5277325/01-02-saml-apps.PNG

  • Choose “Add App”, then “Add custom SAML app”.
    images/download/attachments/5277325/02-custom-saml-app.PNG

  • Name your app, e.g. “MetaAccess SDP” and click Continue. images/download/attachments/5277325/03-name-app.PNG

  • Click “Download Metadata”, then Continue. images/download/attachments/5277325/04-download-metadata.PNG images/download/attachments/5277325/05-metadata-continue.PNG

  • Open your MetaAccess console and click on “User Management” > “SSO” > “SDP “. images/download/attachments/5277325/06-user-management-sso-sdp-upload.PNG

  • Next to “Import configuration from XML Metadata file“, click “Choose File” and upload the Google metadata.

  • Copy the URL next to “MetaAccess Login URL“, enter “group” in the “Group Attributes” box, and click Save a the top right. images/download/attachments/5277325/07-login-url-group-attribute.PNG

  • Go back to the SAML app in Google and paste this URL as the “ACS URL”, then enter “metaaccess-sdp“ as the “Entity ID”. All other values can remain default. images/download/attachments/5277325/08-acs-entity-id-continue.PNG

  • Click Continue.

  • Click “Add Mapping”.

  • Under “Google Directory attributes“, click “Select Field”, and choose “Employee Details” > “Department”.

  • Under “App attributes“, enter “group”, and click “Finish”. images/download/attachments/5277325/09-saml-attribute-mapping.PNG

  • This will bring you to the App details. In the “User Access” card, click “OFF for everyone” images/download/attachments/5277325/10-user-access-off-for-everyone.PNG

  • On the Service Status page, click “On for everyone”, then click “Save”. images/download/attachments/5277325/11-on-for-everyone.PNG

  • Navigate back to your new app and click “TEST SAML LOGIN”. images/download/attachments/5277325/12-test-saml-login.PNG

  • This will open a web browser and prompt to allow launching the OPSWAT Client.