CAS configuration for G Suite

CAS once upon a time contained a specific integration for G Suite, that is now gone. Setting CAS up to use G Suite is not difficult, but finding the right values isn’t easy, even for a SAML 2 veteran. First, if you are migrating to the “new” CAS configuration, or adding SAML 2 to your G Suite instance, you probably want to request a test domain for G Suite. For higher education this was pretty simple. Just search for it to find Google’s latest documentation, and follow the prompts. Now you can test against a couple of user accounts you create in the test instance without fear of screwing up all of your existing users.

First in the G Suite configuration, you will want to access the “Set up single sign-on (SSO) with a third party IdP”, and in there check “Use a domain specific issuer”. This will change the issuer to google.com/a/gsuitetest.inst.edu instead of google.com, which will make things a lot easier for you to differentiate between your test and prod instance of G Suite.

The Sign-in page URL needs to be for CAS https://<host>/cas/idp/profile/SAML2/Redirect/SSO assuming your CAS context is cas. The certificate needs to be your SAML 2 signing certificate.

Now you will need to generate the metadata to provide to CAS, as G Suite does not provide it. The SAML Developer Tools site is quite helpful in doing this.

  • Entity ID is the issuer, which will be like google.com/a/gsuitetest.inst.edu if you choose to use a domain specific issuer.
  • ACS Endpoint is likely https://www.google.com/a/gsuitetest.inst.edu/acs. This was determined watching output from SAML Tracer. These values will depend on what your subdomain / domain are for your G Suite instances.
  • Nameid Format: Leave at 1.1 unspecified
  • No need to provide a cert, as this would be Google’s cert, which they don’t have

When you get the generated metadata, you will need to remove the “validUntil” attribute, as it is set to expire very quickly.

From here, you can configure it like you would any other SAML 2 service in CAS. Perhaps the one slight difference is you will need to provide your own URL or put the generated metadata somewhere on disk and reference it that way. Once validated against the test G Suite instance, repeat with production. What changes is the subdomain that is listed everywhere, change that to match what your production subdomain / domain is.

Leave a comment

Your email address will not be published.