SAML with Google Workspace
Prerequisites
- Cortex must be running at a URL that won't change. You'll be using this URL
as part of the configuration; Azure AD will assume this is where authentication
requests will be coming from and where authentication responses should be redirected.
(In the instructions below, this is referred to as
<your cortex url>
and in configuration asPublicUri
) - Cortex should be running on an HTTPS site with a valid certificate.
Configure Google Workspace
Follow Google's instructions to create a new custom SAML app
Specifically, use the following settings:
- ACS URL:
https://<your cortex url>/saml-assertion
- Entity ID:
https://<your cortex url>
- Start URL: (blank)
- All other settings can be left with the default value.
Be sure to download the IdP metadata.
Configure Cortex
For simplicity, the configuration options on this page are listed in Block:SubBlock:Setting
format.
If you're configuring Cortex by modifying appsettings.json, that means you'll set the
Setting
in the JSON block SubBlock
within the JSON block Block
, e.g.:
{
"Block": {
"SubBlock": {
"Setting": "value"
}
}
}
If you're configuring Cortex via environment variables, you'll set an environment
variable named Block:SubBlock:Setting
in Powershell or Block__SubBlock__Setting
in any environment (that is, replacing the single colon with two underscores).
-
Set either
Authentication:Saml:IdpMetadataFile
orAuthentication:Saml:IdpMetadataContents
to be the path to the Idp Metadata XML file or the contents of that file (respectively). Only one of these settings needs to be set. -
Set
Authentication:Saml:PublicUri
tohttps://<your cortex url>
. -
Set
Authentication:LookUpBy
toEmail
.
Additional Options
Depending on your specific configuration, you may or may not need the below options. Start by following the setup above, then changing a single option at a time, then re-testing. Depending on the type of misconfiguration (or "incomplete" configuration), you may see feedback in the UI, or in the logs.
Authentication:Saml:RevocationMode
- do you want to verify that the IdP's certificate is unexpired and has not been revoked?Authentication:Saml:ForceAuthn
- require the user to enter their username and password on the IdP's login screen regardless of whether they are already logged in. This is equivalent to Cherwell's "Authentication: Force" setting.