Integrate with G Suite Authentication

Frame supports Single Sign-On (SSO) with Google authentication through both OAUTH2 and SAML2 integration options. The OAUTH2 option is the easiest to setup and can be done in under a minute. The SAML2 option is also relatively quick and easy, but does require more steps.

G Suite OAuth2 SSO Integration

If you would like to enable G Suite OAuth2 at the organization or customer level, click on the profile icon in the upper right corner of the screen and select “Go to Admin.” Navigate to the desired customer or organization, click on the ellipsis to the right of the entity name, and click “Edit.”

../../_images/goauth1.png

Click on the “Security” tab and enable the Google Authentication toggle listed under “Authentication.” Click “Save” in the upper right corner.

../../_images/goauth2.png

Click on the newly created “Google” tab listed below the “Security” tab. From there, click “Add.”

../../_images/goauth3.png

The “Add Google authorization” window will appear:

../../_images/goauth4.png

From this window, you can specify individual email addresses or entire domains you wish to grant access to and their corresponding roles. For this example, we will give access to the domain mycompany.com. All users tied to this domain will be given “Launchpad User” access on the “Applications 2” Launchpad. Click “Add” when you have finished specifying your emails/domains and roles. Read more about permissions in the “Manage User Permissions” section of Xi Frame documentation.

../../_images/goauth5.png

Note

When specifying a G Suite domain, you must prefix the domain with the @ symbol, as shown above.

You can now instruct your users to select the “Sign in with Google” option when accessing their Xi Frame login page and enter their Google credentials.

../../_images/goauth6.png

They will be prompted to allow Nutanix Frame access to their Google Drive the first time they sign in. Then, once they connect to their Frame account, it will automatically connect to their Google Drive (no further clicks or authentication steps are required).

../../_images/gauthaccess.png

That’s it. Your users can now use Sign in with Google on your account via our OAUTH2 integration option. If you prefer to set up your integration using SAML2, refer to the next section.

G Suite SAML2 Integration

Note that the G Suite SAML2 integration can only be set up by someone with a Super Admin role on a G Suite account. We will be going back and forth between your G Suite Admin console and your Xi Frame account. There are two things we are going to cut and paste from one system to the other.

  • The Frame SAML2 Integration Name. This is a name you pick when you create the SAML2 authentication integration. The name should be something no one else has used across the platform. It should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive in that you will need to use this name exactly as it appears in later steps in this guide; upper and lower case matter.

Note

The SAML2 integration name you choose will be displayed on the SSO login button used by anyone logging into the platform.

  • The Google IdP metadata file. This is a metadata file where Google keeps the SAML2 metadata for your account.
  1. A SAML2 authentication integration can be configured at any level (depending on administrative access) by navigating to the Admin page and clicking on the ellipsis listed next to the desired entity name. Select “Edit” from the menu that appears.
../../_images/authnav1.png
  1. Navigate to the “Security” tab and enable the “SAML2” toggle under “Authentication.”
../../_images/authnav2.png
  1. Once the setting is saved, the “SAML2 Providers” tab will appear. Navigate to this tab and then click “Add Provider.”
../../_images/image99.png
  1. A new window will appear. You will be pasting information from G Suite Auth into these fields. For now, open a separate tab and proceed to the next step.
../../_images/blankprovider.png
  1. In the new tab, navigate to your G Suite Admin console. Click on “Apps.”
../../_images/gsuiteauth0.png
  1. From the “Apps Settings” page, click “SAML apps.”
../../_images/gsuiteauth01.png
  1. From the SAML apps page, click on the plus symbol listed in the bottom right corner of the page.
../../_images/gsuiteauth1.png
  1. On the “Enable SSO for SAML Application” window, click “Setup my own Custom App” in the bottom left corner.
../../_images/gsuiteauth2.png
  1. The window will display the Google IdP Information. Click the second download option listed next to “IDP metadata.”
../../_images/gsuiteauth2a.png
  1. You will automatically download the .xml file that contains the required metadata to integrate with Frame. Open the .xml file and copy all of the text in the window to your clipboard. Go back to your Google IdP Information page and click “Next.”

  2. Now, go back to your Xi Frame tab and enter the required information as outlined below. Click “Add” when you are done.

    ../../_images/gsuiteauth3.png
    • Application ID: The Application ID identifies a partner across federation interactions and can be set to any DNS-compliant string. For this example, we will use docs-gsuite. Please do not use this ID for your own integration.
    • Auth provider metadata: Click the “XML” option next to “Auth provider metadata” and paste the IdP metadata you copied earlier into this field. It should look similar to the example above.
    • Name: Enter your own unique SAML2 Integration name here. The name should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive. For this example, we will use docs-auth-gsuite. Please do not use this name for your own integration.
    • Authentication token expiration: Set the desired expiration time for the authentication token. This can range from 5 minutes to 7 days.
    • Signed response: Leave this toggle disabled. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.
    • Signed assertion: Enable this toggle.
  3. Navigate back to your G Suite Auth console tab. You should be on step 3 of 5. On this step, you will enter the application name, description, and upload a logo for the app.

../../_images/gsuiteauth4.png

Use the Frame logo below if you wish. Click “Next” when ready.

../../_images/XiFrame_logo.png
  1. On this step (4 of 5), we will add the Service Provider Details. Click “Next” after entering the information as outlined below.
../../_images/gsuiteauth5.png
  • ACS URL: This is the “Assertion Consumer Service” URL. Here, we’ll enter the Xi Frame SSO URL which will be in the following format:

    https://img.frame.nutanix.com/saml2/done/[SAML_INTEGRATION_NAME]/
    

    Warning

    The forward slash at the end of the URL is required for the integration to work correctly.

  • Entity ID: Enter the Application ID you used earlier (we used docs-gsuite.)

  • Start URL: This case-sensitive URL will vary depending on where you set up your auth integration on Xi Frame.

    Customer level:

    https://img.frame.nutanix.com/login?return_url=https://frame.nutanix.com/[customer_URL]&account_type=[SAML_INTEGRATION_NAME]
    

    Organizational level:

    https://img.frame.nutanix.com/login?return_url=https://frame.nutanix.com/[customer_URL]/[organization_URL]&account_type=[SAML_INTEGRATION_NAME]
    

    Account level:

    https://img.frame.nutanix.com/login?return_url=https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]&account_type=[SAML_INTEGRATION_NAME]
    
  • Signed Response: Leave this unchecked. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.

  • Name ID: The first drop-down menu option should be set to “Basic Information.” Set the second drop-down menu option to “Primary Email.”

  • Name ID Format: Set this to “PERSISTENT.”

  1. The final step (5 of 5) of the G Suite Auth integration setup consists of attribute mapping. Add the 3 attributes as specified in the screen shot below.
../../_images/gsuiteauth6.png
  1. Click “Finish.” Google will inform you that the process has been completed.
../../_images/gsuiteauth7.png

Configure SAML2 Permissions

Once the IdP is successfully configured, administrators will need to configure the authorization rules for the account from the “SAML2 Permissions” tab listed to the right of the current tab. Read more about user roles and permissions on our “User Permissions” section.

../../_images/saml2permissions.png

Using G Suite Authentication as a SAML2 Authentication Integration

Your new SAML2 auth integration will appear as button on your Xi Frame login page. The URL for navigating to your Xi Frame login page will vary depending on which level the SAML2 integration was configured.

Customer level:

https://frame.nutanix.com/[customer_URL]/

Organizational level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/

Account level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]/
../../_images/finalgsuite.png