SAML SSO with G Suite

acremonezi · February 13, 2020, 1:30pm

My Mautic version is: 2.15.3
My PHP version is: 7.0.33-0+deb9u6

I am not able setup Mautic SAML SSO with G Suite.

I have setup SAML on G Suite and it provides to me two files as following.

1 - GoogleIDPMetadata.xml
2 - GoogleIDPCertificate.pem

These two files above I can load with no problem on Mautic. But Mautic asked me more two information such as:

3 - Private key
4 - Private key encryption password

To better clarify it, I have taken a screenshot, please have a look at: https://pasteboard.co/IUuIrXK.png

My doubt is: What should I load on item 3 and 4 above?

Thanks in advanced.

rcheesley · February 13, 2020, 2:08pm

Hello @acremonezi, welcome to the Mautic Community Forums!

Does the documentation here: Authentication | Mautic help at all?

See particularly:

Verify request signatures or a SSL certificate - If the IDP supports encrypting and validating request signatures from Mautic to the IDP, generate a self signed SSL certificate. Upload the certificate and private key through Mautic’s Configuration → User/Authentication Settings under the Use a custom X.509 certificate and private key to secure communication between Mautic and the IDP. section. Then upload the certificate to the IDP.

So it seems this part is not mandatory, but if they support encryption then you need to generate the self-signed certificate and upload the private key in those parts.

acremonezi · February 13, 2020, 3:29pm

hi! @rcheesley, thanks for your prompt repply.

I have read this documentation and follow it, I have used that to set it up, this item 5 you mension specially, was not enough to me, I suspected this may not be necessary, but even though its caused me doubts specially with usuing G Suite.

Assuming that the (3 - Private key and 4 - Private key encryption password) are not necessary the problem may be on G Suite setup.

I have done this screenshot of my G Suite setup, please access it here: https://pasteboard.co/IUvxQ8O.png

Could you please tell me if you are able to clarify my doubts on this setup?

Thanks so much in advanced.

rcheesley · February 13, 2020, 4:00pm

Based on your screenshot, I believe the ACS field needs to be:

https://your-mautic.com/s/saml/login_check

(according to point 3 on the Mautic docs)

The check box is whether or not to use the signing, which we are at this point not using (if you’re not providing the private key etc)

I believe the Name ID type should be Email, based on what you have chosen.

The mapping looks correct per this from the documentation:

Custom attributes - Mautic requires 3 custom attributes that must be included in the IDP responses for the user email, first name and last name.

So maybe if you fix the URL in the ACS field and give it a go? I don’t know about the start URL but it seems to be optional so maybe leave it blank?

acremonezi · February 13, 2020, 5:38pm

Hi! @rcheesley, again thanks for your support, your guidance was very important to me.

Thanks a lot, with you help, I could solved it.

In order to help other people that may need it, I have made the screenshot bellow to clarify what was the steps done on G Site and Mautic in order to have it working.

Please, access it here: https://pasteboard.co/IUwnGjm.png

Thanks again and best regards,

rcheesley · February 13, 2020, 8:09pm

Glad to hear you got it solved! You can add an image to your forum post just by dragging it into the editor, FYI

Thanks for reporting back with the solution!

acremonezi · February 14, 2020, 7:52pm

hi! @rcheesley, thanks for the information.
I did not know this, on the next post I will apply this advice.
Best regards,

monkeymon · December 5, 2020, 3:56am

Hi,

I have follow all the steps but I’m still getting the following errors.
Invalid inbound message destination "https://xxxxxx.com/s/saml/login_check"

[2020-12-05 11:54:43] app.EMERGENCY: Invalid inbound message destination “https://xxxxxx.com/s/saml/login_check” {“profile_id”:“sso_sp_receive_response”,“own_role”:“sp”,“action”:“LightSaml\Action\Profile\Inbound\Message\DestinationValidatorResponseAction”,“top_context_id”:“00000000412d51f5000000005b9dd7af”,“top_context”:"[object] (LightSaml\Context\Profile\ProfileContext: {\n “root”: “LightSaml\\Context\\Profile\\ProfileContext”,\n “root__children”: {\n “http_request”: “LightSaml\\Context\\Profile\\HttpRequestContext”,\n “own_entity”: “LightSaml\\Context\\Profile\\EntityContext”,\n “inbound_message”: “LightSaml\\Context\\Profile\\MessageContext”,\n “inbound_message__children”: {\n “deserialization”: “LightSaml\\Model\\Context\\DeserializationContext”,\n “request_state”: “LightSaml\\Context\\Profile\\RequestStateContext”\n },\n “party_entity”: “LightSaml\\Context\\Profile\\EntityContext”\n }\n})"}

I’m using the docker version of Mautic, do i need to do anything extra?

ilo · April 8, 2022, 2:11pm

Hi @ monkeymon, did you find a solution for this? I am having the same issue. Thanks

Topic		Replies	Views
Not Found: https://your-mautic.com/saml/metadata.xml Product Support	0	340	May 14, 2020
Login and Access Security - What are our options General Discussion	3	410	April 22, 2023
Microsoft SSO Integration - Solved Product Support	0	499	October 4, 2021
Trouble With SAML Product Support	5	1272	June 19, 2017
Help with KeyCloak SAML Product Support	2	960	March 25, 2024

SAML SSO with G Suite

Related Topics