We are going to be using WSO2 Identity Server as the SAML provider for Google Apps. This is a valid scenario where an Organization's identity provider is an independent third party. Here is the scenario we are going to support.
Setup SAML SSO in your domain by following google documentation. https://support.google.com/a/answer/60224?hl=en
The Sign-in page URL is in the form of, https://host:port/samlsso. The change password URL is pointed to the portal where employees use to change the password.
At WSO2 Identity Server Side, go to Main->Service Providers->Add. Now add the following configuration.
- The ACS URL is https://www.google.com/a/test.com/acs
- Since we have ticked the "Use a domain specific Issuer" above, our issuer is "google.com/a/test.com"
- NameId format is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
- Enable Assertion signing (The corresponding certificate has been uploaded in the previous step into GoogleApps)
- Enable Single Logout and Attribute Profile
Note - test.com needs to be replaced by your actual domain name.