Configure Single Sign-On for Google in CloudCheckr CMx

In this topic, you will learn how to set up Single Sign-On (SSO) with your Google account in CloudCheckr CMx.

Prerequisite

You must be an enterprise customer to use IdP-initiated SSO.


Workflow

  1. Create a support ticket in the CloudCheckr Service Desk Portal that indicates you need to set up SAML.
  2. A CloudCheckr Support engineer will:
    • walk you through how to generate SAML IdP metadata through your SSO provider
    • validate that the authentication process is working in your environment successfully
      Although CloudCheckr will provision your users for the first-time logon, your organization must enable specific permissions and account access for your CloudCheckr CMx users. For more information, see the Access Management and Roles topics.
  1. In your Google Admin console, click Apps > SAML apps.
  2. Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.

  3. Select Setup my own custom SAML App.

    The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
  4. Download the IDP metadata, and send the downloaded XML file to CloudCheckr Support.

  5. Click Next.
  6. In the Basic Application Information window, provide an application name (CloudCheckr CMx) and description.
  7. In the Service Provider Details window, provide the following information:
    If you log in to CloudCheckr CMx at https://app-eu.cloudcheckr.com, https://app-au.cloudcheckr.com, or https://app-gov.cloudcheckr.com, replace 'us' where appropriate in the following steps.
    ACS URL:
    • For iDP-initiated SSO, type https://auth-us.cloudcheckr.com/auth/sso/saml2/Acs
    • For SP-initiated SSO, type https://auth.mycompanycloud.com/auth/sso/saml2/Acs

    Entity ID:
    • For iDP-initiated SSO, type https://auth-us.cloudcheckr.com/auth
    • For SP-initiated SSO, type https://auth-us.cloudcheckr.com/auth

    NameID: Basic Information - Primary Email
    • NameID Format: EMAIL
    • Signed Response: Yes (checked)
  8. Click Next.

    No mappings are required.
  9. Click Finish.
  10. To turn on SSO to your new SAML App, go to your Google Admin console, and select your new SAML app.
  11. At the top of the gray box, click More Settings and select one of the following options:

    • On for everyone to turn on the service for all users (click again to confirm).
    • Off to turn off the service for all users (click again to confirm).
    • On for some organizations to change the setting only for some users.
  12. Ensure that your user account email IDs match those in your G Suite domain.

  13. Send the SAML metadata file to CloudCheckr Support.

    After Support configures your account, it will take approximately 30 minutes before you can access your account in CloudCheckr CMx.
  14. Log into your Google account.
  15. Click the applications grid on the top.
  16. Click More if CloudCheckr CMx is not seen.
  17. Click the CloudCheckr CMx icon to access CloudCheckr CMx.

How did we do?