Google SAML
Note, other SAML providers may also work with EMS. Contact EMS support to discuss your options.
Setup
To enable authentication with Google SAML, the following needs to be done:
- Go to your Google apps admin panel: https://admin.google.com/ac/apps/unified
- Add a new application by clicking
Add app
and choosingAdd custom SAML app
. - Choose a name for the application (can be anything). Click next.
- Choose option 1 and download the metadata XML. Click next.
- Add some values, replacing the
homeserver
inhttps://homeserver.ems.host
with whatever the hostname will be chosen in EMS. Note, this is the EMS hostname, not the custom server domain name.- ACS URL:
https://homeserver.ems.host/_synapse/client/saml2/authn_response
- Entity ID:
https://homeserver.ems.host/_synapse/client/saml2/metadata.xml
- Signed response: yes
- Click next
- ACS URL:
- Click add new mapping 3 times, adding the following:
- Application attribute:
email
- Category: Basic Information
- Field: Primary Email
- Application attribute:
firstName
- Category: Basic Information
- Field: First Name
- Application attribute:
lastName
- Category: Basic Information
- Field: Last Name
- Application attribute:
- Click
Finish
and thenOK
. - In the settings for the app, turn on for everyone.
Update metadata
When the certificate expires (by default after 5 years) a new metadata file is required. The file can be downloaded from Google:
- Go to your Google apps admin panel: https://admin.google.com/ac/apps/unified
- Click on your app for Element.
- Click
Download metadata
in the sidebar. - Click
Download metadata
in the modal. - Store the metadata XML on your computer to upload it to EMS.
Upload metadata to EMS
The previously downloaded metadata XML is required by EMS to establish a secure connection to your GSuite environment.
- Go to your EMS hosts: https://ems.element.io/user/hosting
- Click on the tab
Integrations
. - Select the host you wish to update.
- Under
Advanced Authentication
click on theGoogle SAML
integration. - Copy paste the contents of your downloaded metadata XML into the text field.
- Click
Purchase
orUpdate
and wait for your host to apply the change. - Test your changes by logging into the EMS host.
DRAFT Okta SAML
These instructions are a draft and might not be accurate
- Go to your Okta Applications panel: https://your-app-admin.okta.com/admin/apps/active
- Add a new application by clicking
Create App Integration
and choosingSAML 2.0
. - Choose a name for the application (it can be anything). Click next.
- Add some values, replacing the
homeserver
inhttps://homeserver.ems.host
with whatever the hostname will be chosen in EMS.Note,Note that this is the EMS hostname, not the custom server domain name.- Single sign on URL:
https://homeserver.ems.host/_synapse/client/saml2/authn_response
- Make sure
Use this for Recipient URL and Destination URL
is checked - Audience URI (SP Entity ID):
https://homeserver.ems.host/_synapse/client/saml2/metadata.xml
- Name ID format: Unspecified
- Application username: (None)
- Click Show Advanced Settings
- Response: Signed
- Attribute Statements. Name format:
Basic
for all- Name:
email
- Value:user.email
- Name:
firstName
- Value:user.firstName
- Name:
lastName
- Value:user.lastName
- Name:
- Click
Preview the SAML Assertion
. If you get the messagePlease review the form to correct the following errors:
- correct errors shown - Click Next, then Finish
- Click the
Assignments
tab for theApplicationapplication and assign it to everyone or a subset of your users - Click the
Sign On
tab - Click
View Setup Instructions
- Copy everything from the
Provide the following IDP metadata to your SP provider.
text box
- Single sign on URL:
- Continue from Upload metadata to EMS above