-
Notifications
You must be signed in to change notification settings - Fork 473
l Inbound SSO Settings
Beginning with GAM 6.31, you can now manage Workspace / Cloud Identity Inbound SSO settings. You can add SAML SSO profiles, upload certificates for those profiles and assign the profiles to OrgUnits or Groups.
- Create an Inbound SSO Profile
- Update an Inbound SSO Profile
- Get Info About an Inbound SSO Profile
- Delete an Inbound SSO Profile
- Print/show Inbound SSO Profiles
- Create or Replace Credentials
- Delete Credentials
- Print/show Credentials
- Create an Inbound SSO Assignment
- Update an Inbound SSO Assignment
- Get Info About an Inbound SSO Assignment
- Print/show Inbound SSO Assignments
gam create inboundssoprofile [name <name>] [entityid <entityid>] [loginurl <url>] [logouturl <url>] [changepasswordurl <url>]
Creates a new Inbound SSO profile with details about the remote SAML IDP. All fields are optional on create but must be set in order for the profile to be considered complete and assignable to groups/orgunits. Name and entityid specify the name and entity ID for the profile. loginurl, logouturl and changepasswordurl specify the IDP URLs for the respective actions.
This example creates a profile for your SimpleSAMLPHP IDP
gam create inboundssoprofile name "SimpleSAMLPHP" entityid simplesamlphp loginurl "https://dev2.andreas.feide.no/simplesaml/saml2/idp/SSOService.php" logouturl "https://www.google.com" changepasswordurl "https://www.google.com"
gam update inboundssoprofile <profile name or id:profile_id> [name <newname>] [entityid <newentityid>] [loginurl <url>] [logouturl <url>] [changepasswordurl <url>]
Update an existing Inbound SSO Profile. The profile to update can be specified using the profile name like "SimpleSAMLPHP" or the unique ID Of the profile prefixed with "id:". The name, entityid, loginurl, logouturl and changepasswordurl parameters can optionally be entered in order to update those respective fields for the profile.
This example updates the logout URL for our profile.
gam update inboundssoprofile "SimpleSAMLPHP" logouturl "https://dev2.andreas.feide.no/logout.html"
gam info inboundssoprofile <profile name or id:profile>
Show information about an existing profile. The profile can be referenced by name or unique ID prefixed with id:
Shows information about a profile
gam info inboundssoprofile SimpleSAMLPHP
gam delete inboundssoprofile <profile name or id:profile>
Deletes an existing inboundssoprofile. The profile can be referenced by name or unique ID prefixed with id:
Deletes a profile
gam delete inboundssoprofile SimpleSAMLPHP
gam print|show inboundssoprofiles [todrive]
Prints (CSV output) or shows (human readable output) all current Inbound SSO Profiles. On print only, the optional argument todrive causes GAM to generate a Google Sheet of the CSV results rather than printing them to the console.
This example shows all current profiles.
gam show inboundssoprofiles
gam create inboundssocredential [profile <profile name or id:profile_id>] [pemfile <filename>] [generate_key] [key_size] [replace_oldest]
Creates a new key for the given Inbound SSO profile or replaces the oldest one (Google allows 2 credentials per profile). The profile argument is mandatory and specifies which Inbound SSO profile the credentials should be associated with. pemfile "filename" or generate_key must be specified in order to upload a RSA/DSA PEM file's contents or generate a new RSA private key and public certificate and upload the generated certificate. The generated filenames will show on the console. key_size specifies the size of the RSA key GAM should generate. Allowed values are 1024, 2048 and 4096. replace_oldest specifies that if there are already two credentials for the profile (and only if there are two), the oldest credentials should be deleted to make room for the new credential you are creating.
IMPORTANT Google ignores any expiration date on public certificates. As long as the public certificate credential exists in the profile Google will allow logins which are signed by the corresponding private key. You should ALWAYS delete old certificates once they should no longer be in use.
This example uploads an existing public certificate contained in a PEM file
gam create inboundssocredential profile SimpleSAMLPHP pemfile new_pub_cert.pem
This example generates a new 4k key and replaces the oldest key if there are already two.
gam create inboundssocredential profile SimpleSAMLPHP generate_key key_size 4096 replace_oldest
gam delete inboundssocredential <name>
Deletes an existing Inbound SSO credential. The name is the unique ID Google assigns to a credential.
This example deletes an existing credential by name.
gam delete inboundssocredential inboundSamlSsoProfiles/03h0nwgl1qms6ww/idpCredentials/K8748028
gam print|show inboundssocredentials [profiles <name or id:profile>,<another name>] [todrive]
Print (CSV output) or show (human readable output) the current Inbound SSO credentials. The optional argument profiles specifies the name or ID of Inbound SSO profiles (comma separated) whose credentials should be output. On print, the optional argument todrive causes a Google Sheet to be generated with the CSV output rather than printing it to the console.
This example print all credentials to a Google Sheet.
gam print inboundssocredentials todrive
This example shows the credentials for a single profile.
gam show inboundssocredentials profile SimpleSAMLPHP
gam create inboundssoassignment [profile <name or id:profile_id>] [group [email protected]] [orgunit /OrgUnit/Path] [mode SAML_SSO|SSO_OFF|DOMAIN_WIDE_SAML_IF_ENABLED] [rank <number>] [never_redirect]
Assigns a given Inbound SSO profile to a group or orgunit. You must specify one of group or orgunit. mode is also a mandatory argument and specifies the SSO behavior of the assignment. Use one of SAML_SSO, SSO_OFF or DOMAIN_WIDE_SAML_IF_ENABLED. If mode is SAML_SSO you must specify the profile to assign with profile. rank is optional for group assignments and specifies the numeric ranking of the assignment for priority. The rank for orgunit assignments is always zero (0). The optional argument never_redirect causes Google to never redirect to the IDP (SP initiated login disabled, IDP initiated login will work).
This example assigns a profile to the Sales group
gam create inboundssoassignment profile SimpleSAMLPHP group [email protected] mode SAML_SSO
gam update inboundssoassignment group|orgunit [profile <name or id:profile_id>] [mode SAML_SSO|SSO_OFF|DOMAIN_WIDE_SAML_IF_ENABLED] [rank <number>] [never_redirect]
Updates an existing Inbound SSO assignment based on the group or orgunit. mode specifies the assigned SSO mode and should be one of SAML_SSO, SSO_OFF or DOMAIN_WIDE_SAML_IF_ENABLED. If mode is SAML_SSO, profile can be specified to update the SSO profile assigned. rank is optional for group assignments and specifies the numeric ranking which sets priority of the assignment, rank for OrgUnits is always 0. never_redirect is optional and disables Google redirecting users to the IDP, IDP-initiated login is still allowed.
This example turns SSO on for the root OU
gam update inboundssoassignment ou:/ mode SAML_SSO profile "SimpleSAMLPHP"
gam info inboundssoassignment group|orgunit
Displays information about an existing Inbound SSO assignment.
These examples shows the assignment status of the root OU and the [email protected] group.
gam info inboundssoassignment ou:/
gam info inboundssoassignment group:[email protected]
gam print|show inboundssoassignments [todrive]
Prints (CSV format) or shows (human readable format) all current Inbound SSO assignments. On print, if todrive is specified a Google Sheet of the CSV results is created rather than outputting it to the console.
This example shows all current assignments
gam show inboundssoassignments
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Account Auditing
- Calendar Settings
- Chat Bot commands
- Chrome Browser Management
- Chrome Policy Settings
- Context Aware Access levels
- Data Transfers
- Domain Verification
- Google Drive Management
- Group Settings
- Inbound SSO Settings
- Managing Admins
- Managing Classroom
- Managing Custom User Schemas
- Managing Devices
- Managing Organizations
- Managing Product Licenses
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- OAuth Authentication Related Commands
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Printers
- Unmanaged Users and Invitations
- User Email Settings
- User Security Settings