Edit page
TrueNAS SCALETrueCommand Version Documentation
This content follows TrueCommand 3.0 releases. Use the Product and Version selectors above to view content specific to TrueNAS software or major versions.

Configuring TrueCommand SAML Service for Google Admin

Security Assertion Markup Language (SAML) is a single sign-on (SSO) standard for logging users into applications that require authentication credentials (like GitHub, G-Mail, etc.). Single Sign-on (SSO) works by transferring a user’s known identity to another location that provides services to the user. SAML accomplishes the transfer by exchanging digitally-signed XML documents.

A SAML configuration requires an Identity Provider (IdP) and Service Provider (SP). Google Admin is an example of an IdP.

Activating TrueCommand SAML Service

This article provides instructions for setting up SAML service in TrueCommand and then in Google Admin.

Overview of the Google Admin and TrueCommand SAML Service Configuration Process

To configure Google Admin as the IdP, you must:

  • Create a new App for SAML
  • Configure the SAML app properties to act as the IdP service.
  • Add the TrueCommand IP and port number as the ACS URL.
  • Configure the SAML app LDAP attributes properties

After you configure SAML in Google Admin, you configure and start the TrueCommand SAML service.

Configuring a Google Admin SAML App

  1. Open Google Admin and go to Apps > Web and mobile apps.

  2. Click Add App, then select Add custom SAML app to open the App details screen.

  3. Configure the SAML app details.

    a. Type any name you want to use in the App Name field. This example uses tcsaml.

    b. Upload any picture or avatar you want to use into the App icon area to identify the app in your Google Admin account.

    c. Click CONTINUE. to view the Google Identity Provider screen.

    d. Click CONTINUE again to view the Service Provider details screen.

  4. Configure the service provider details.

    a. Enter the TrueCommand login URL https://*IP:PORT*/saml/acs in the ACS Url field. IP:PORT is your TrueCommand system IP with HTTPS port.

    b. Type any name you want into the Entity ID field (ex. truecommand-saml).

    c. Type the https://*IP:PORT*/saml/hello into the Start URL field. IP:PORT is your TrueCommand system IP with HTTPS port.

    d. Set Name ID format to PERSISTENT.

    e. Set Name ID to Basic Information > Primary Email.

    f. Click CONTINUE to view the Attribute Mapping screen.

    g. Enter the Attributes. Select the attribute using the Google Directory attributes dropdown menus, then type the attributes exactly as they are in the table below into the App attributes fields:

      | Parameter | Value |
      |-----------|-------|
      | Primary email | email |
      | First name | given_name |
      | Employee ID | unique_name |
      | Phone number | telephone_number |
      | Title | title |
    

    Adjust the parameters according to your own organization, where unique_name corresponds to the TrueCommand username and is the only required attribute. Primary email might be desired instead of and if an Employee ID is not available.

    h. Click FINISH.

  5. Verify the information is correct. Select TEST SAML LOGIN in the tcsaml area on the left side of the screen to open the TrueCommand SAML Test screen.

  6. Download the metadata.

    a. Select DOWNLOAD METADATA to open the Download Metadata window.

    b. Click DOWNLOAD METADATA again. When complete, click CLOSE.

  7. Verify user access details.

    a. Click View Details under User access to display the Service status details.

    b. Select ON for everyone and click SAVE.

    If you want granular user control, use this area to set it.

  8. Wait for approximately 10-20 minutes for Google to populate all settings through its servers.

Configuring and Starting TrueCommand SAML Service

  1. Log into TrueCommand as an administrator.

  2. Click the button on the top toolbar. Click Administration. Click Configure in the Configuration widget. The Configuration screen with the editable settings displays. Scroll down to SAML settings.

  3. Enter the Google Admin XML metadata file into the SAML Identity Provider Metadata XML Upload field, then click Save.

  4. Select Start the SAML service to enable the service, and click Save again.

  5. Log out of the TrueCommand UI.

  6. Login now using the SAML Login option.