Skip to main content
Version: v2.x

SSO with G Suite

With Cyral, you can authenticate database users against your G Suite instance. Below, we show how to set this up.

Prerequisites

  • Make sure you have administrator-level access to your G Suite Admin Console.
  • Find your Cyral control plane domain name. This is the address where you open the Cyral control plane UI. For example, if your UI's URL is https://exampleco.cyral.com/app/home then you'll use exampleco when the instructions here ask you for Cyral control plane URLs.

Create SAML IdP app in G Suite

  1. Navigate to the G Suite Admin Console and select Apps ➡️ SAML Apps ➡️ Add App ➡️ Add custom SAML app



  2. Give your custom SAML app a Name that makes it clear this is the app for Cyral integration. For example, Cyral.

  3. Click Download metadata and save the downloaded file. You'll upload it later in the Cyral control plane UI.

  4. In the same window from which you downloaded the IdP metadata, make note of the IdP ID of your SAML app. The IdP ID is embedded in the SSO URL and Entity ID in a 9-character parameter, idpid. The IdP ID will have a format like, for example, A01abc2de.

    Click Continue.

  5. In the Service provider details page, enter your ACS URL and Entity ID in the formats shown here:

    • ACS URL: https://<YOUR CONTROL PLANE>.cyral.com:8000/auth/realms/default/broker/gsuite.<YOUR IDP ID>/endpoint

    • Entity ID: https://<YOUR CONTROL PLANE>.cyral.com:8000/auth/realms/default

    For example:

    • ACS URL: https://exampleco.cyral.com:8000/auth/realms/default/broker/gsuite.A01abc2de/endpoint

    • Entity ID: https://exampleco.cyral.com:8000/auth/realms/default



  1. Edit the other fields to match this example, but where we show exampleco, please replace it with your Cyral control plane domain name.

    Click Continue.

  2. On the Attribute mapping page, specify which user data attributes will be sent to Cyral:

    • First Name: This is required. Choose First name from the drop-down list and type First Name (both words start with a capital letter!) in the App attributes field. This is case- and formatting-sensitive and won't function properly if anything other than First Name is entered on the right.

    • Last Name: This is required. Choose Last name from the drop-down list and type Last Name (both words start with a capital letter!) in the App attributes field. This is case- and formatting-sensitive and won't function properly if anything other than Last Name is entered on the right.



  1. Click Continue.

  2. In the Google Admin ➡️ Web and mobile apps page for your SAML app, go to User access ➡️ View details.

  3. On the details page, use the left bar to turn the app ON for everyone or ON for the subset of users who will access databases through Cyral.

info

Choosing a subset of users does not cause information about the subset to be provided to Cyral.

Now that you've created the G Suite SAML IdP App, you must add it to Cyral as explained below.

Add G Suite IdP to Cyral

  1. In the Cyral control plane UI, go to Integrations ➡️ G Suite ➡️ Setup.

  2. Click New integration.

  3. Provide a Display Name for this SSO provider. This is the name your users and administrators will see when they use or set up this SSO provider.

  4. Click Upload a file and upload the SAML metadata file you saved in the "Download metadata" step earlier.

  5. Click Submit. You will receive a confirmation screen that reminds you SSO login services might not be available immediately.

warning

Creating or updating a SAML App in G Suite does not take effect immediately. Plan to wait 24-48 hours for your G Suite SAML App to become usable for Cyral SSO logins.

Next step

See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.