SSO with G Suite
With Cyral, you can authenticate database users against your G Suite instance. Below, we show how to set this up.
- Make sure you have administrator-level access to your G Suite Admin Console.
- Find your Cyral control plane domain name. This is the address where
you open the Cyral control plane UI. For example, if your UI's URL
https://exampleco.cyral.com/app/homethen you'll use
examplecowhen the instructions here ask you for Cyral control plane URLs.
Create SAML IdP app in G Suite
Navigate to the G Suite Admin Console and select Apps ➡️ SAML Apps ➡️ Add App ➡️ Add custom SAML app
Give your custom SAML app a Name that makes it clear this is the app for Cyral integration. For example, Cyral.
Click Download metadata and save the downloaded file. You'll upload it later in the Cyral control plane UI.
In the same window from which you downloaded the IdP metadata, make note of the IdP ID of your SAML app. The IdP ID is embedded in the SSO URL and Entity ID in a 9-character parameter,
idpid. The IdP ID will have a format like, for example, A01abc2de.
In the Service provider details page, enter your ACS URL and Entity ID in the formats shown here:
https://<YOUR CONTROL PLANE>.cyral.com:8000/auth/realms/default/broker/gsuite.<YOUR IDP ID>/endpoint
https://<YOUR CONTROL PLANE>.cyral.com:8000/auth/realms/default
Edit the other fields to match this example, but where we show
exampleco, please replace it with your Cyral control plane domain name.
On the Attribute mapping page, specify which user data attributes will be sent to Cyral:
First Name: This is required. Choose First name from the drop-down list and type
First Name(both words start with a capital letter!) in the App attributes field. This is case- and formatting-sensitive and won't function properly if anything other than
First Nameis entered on the right.
Last Name: This is required. Choose Last name from the drop-down list and type
Last Name(both words start with a capital letter!) in the App attributes field. This is case- and formatting-sensitive and won't function properly if anything other than
Last Nameis entered on the right.
In the Google Admin ➡️ Web and mobile apps page for your SAML app, go to User access ➡️ View details.
On the details page, use the left bar to turn the app ON for everyone or ON for the subset of users who will access databases through Cyral.
Choosing a subset of users does not cause information about the subset to be provided to Cyral.
Now that you've created the G Suite SAML IdP App, you must add it to Cyral as explained below.
Add G Suite IdP to Cyral
In the Cyral control plane UI, go to Integrations ➡️ G Suite ➡️ Setup.
Click New integration.
Provide a Display Name for this SSO provider. This is the name your users and administrators will see when they use or set up this SSO provider.
Click Upload a file and upload the SAML metadata file you saved in the "Download metadata" step earlier.
Click Submit. You will receive a confirmation screen that reminds you SSO login services might not be available immediately.
Creating or updating a SAML App in G Suite does not take effect immediately. Plan to wait 24-48 hours for your G Suite SAML App to become usable for Cyral SSO logins.
See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.