Search

How do I configure SAML-based single sign-on for the QuWAN QBelt VPN server with Google Workspace Admin as the Identity Provider?

Last modified date: 2024-01-25

Applicable Products

  • QuWAN Orchestrator
  • QVPN Client
  • Google Workspace Admin

Details

QuWAN Orchestrator enables the use of Security Assertion Markup Language (SAML)-based single-sign on (SSO) to exchange authentication and authorization data with an Identify Provider (IdP), for example, Google Workspace Admin. With this feature, users can utilize the same SAML IdP credentials to access various services that support SAML authentication. This eliminates the necessity of adding new credentials for each individual application and service.

Important
To sign in to the Google administrator account, you must have a valid Google Workspace or Cloud Identity account. These accounts give you the necessary permissions to manage your organization's Google services.

Procedure

1.Creating a custom SAML-based sign-on for the QuWAN QBelt VPN server using the Google Workspace administrator account

  1. Go to https://admin.google.com.
  2. Sign in using your Google Workspace username and password.
    The Admin console appears.
  3. Click .
  4. Click Apps.
  5. Click Web and mobile apps.
  6. Click Add App, and then click Add custom SAML app.
  7. Specify an app name and description.
    Note
    Use a clear, descriptive name for your custom SAML app, like the service name itself (e.g., "QuWAN QBelt VPN Server").
  8. Optional: Upload an icon for your app.
  9. Click Continue.
    The Google Identity Provider details page appears.
  10. Copy the SSO URL, Entity ID, and certificate to the clipboard.
  11. Click Continue.
    Important
    Do not close the Google Workspace Admin console window after this step. Proceed to configure the SAML SSO settings in QuWAN Orchestrator, then return to the Google Workspace Admin console to complete the custom SAML app creation.

2. Configuring the QuWAN QBelt VPN server settings in QuWAN Orchestrator and Google Workspace Admin console

To enable the Google Workspace Admin SAML SSO, you must create a link between Google Workspace Admin users and their corresponding QuWAN QBelt VPN SAML SSO user groups.

  1. Configure the SAML SSO settings in QuWAN Orchestrator.
    1. Go to https://quwan.qnap.com.
    2. Sign in using your QNAP account username and password.
    3. Select your organization.
    4. Go to VPN Server Settings > Privilege Settings.
    5. Go to SAML SSO.
    6. In the Basic SAML Configuration field, click .
      The Configure SAML SSO Settings window appears.
    7. Under Identity Provider Information, paste the SSO URL, Entity ID, and certificate information.
    8. Copy the Identifier (Entity ID) and Reply URL (ACS URL) to the clipboard.
    9. Click Save.
  2. Configure the service provider settings in the Google Workspace Admin console.
    1. Open the Google Workspace Admin console tab on your browser.
      The Service provider details page appears.
    2. Paste the copied Identifier (Entity ID) and Reply URL (ACS URL) in their respective fields.
    3. Click Continue.
      The Attribute mapping page appears.
    4. Map user attributes based on the QuWAN SAML SSO requirements.
      1. Configure the email attribute for identity authentication.
        1. Click Add mapping.
        2. Under Google Directory attributes, select Primary email.
        3. Enter email in the App attributes field.
      2. Configure the group attribute for permission controls.
        1. Click Add mapping.
        2. Under Google Directory attributes, select Department.
        3. Enter groups in the App attributes field.
          Tip (Optional)
          To effectively map QuWAN SAML SSO user rules to corresponding Google Workspace Admin groups, first select the Google groups you want to add to the SAML app under Group membership (optional), and then enter groups as the app attribute.
      3. Click Save.
        Google Workspace Admin console saves the settings.
  3. Activate the custom app for QuWAN QBelt SAML SSO.
    1. Go to https://admin.google.com.
    2. Sign in using your Google Workspace username and password.
      The Admin console appears.
    3. Click .
    4. Click Apps.
    5. Click Web and mobile apps.
    6. Select your customized QuWAN QBelt VPN server app.
    7. Click User access.
    8. On the Service status page, select On for everyone.
    9. Click Save.
    10. Optional: Activate the service for a set of groups.
      1. Click Groups.
      2. Select one or more groups.
      3. Select On to enable the service.
      4. Click Save.

3. Adding a SAML SSO user rule in QuWAN Orchestrator

  1. Open QuWAN Orchestrator.
  2. Select your organization.
  3. Go to VPN Server Settings > Privilege Settings.
  4. Go to SAML SSO.
  5. Click Configure SAML SSO Now.
  6. Add a new SAML SSO user group.
    1. In QuWAN Orchestrator, go to VPN Server Settings > Privilege Settings > SAML SSO.
    2. Next to SAML SSO User Rules, click Add.
    3. Enable the user rule.
    4. Configure the user group settings.
      SettingUser Action
      Rule nameSpecify a name for the SAML SSO user rule.
      Attribute valueThe value corresponding to the source attribute configured for the custom SAML app's group attribute in Google Workspace Admin console.
      Note
      • If group membership is the configured group attribute in Google Workspace, use the corresponding app attribute value in QuWAN Orchestrator.
      • If a different attribute (e.g., Department) is used as the group attribute, employ its corresponding app attribute value in QuWAN Orchestrator. You can find the corresponding value of attribute Department in Google Workspace Admin console's Users page.
      • Select Rule for all users to apply the attribute value to all the users.
      SegmentSelect a pre-configured segment.
      Accessible hubsSelect one or more hubs to connect to.
    5. Optional: Enable Allow concurrent multidevice connections.
    6. Click Save.
  7. Click Apply.

QuWAN Orchestrator saves the SAML SSO settings.

4. Connecting to QuWAN QBelt VPN server with QVPN Client and Google Workspace Admin SSO

After successfully configuring QuWAN SAML SSO, establish a connection to QuWAN QBelt VPN through the QVPN Client.

  1. Go to QNAP Utilities.
  2. Locate QVPN Client (formerly named QVPN Device Client).
  3. Download the utility to your device.
  4. Install the utility on the device.
  5. Open QVPN Client.
  6. Click Add a QuWAN Profile.
  7. Specify the organization ID.
    Note
    You can find the organization ID in QuWAN Orchestrator. Go to VPN Server Settings > Privilege Settings > SAML SSO.
  8. Click Next.
    The Authentication Settings page appears.
  9. Select SAML SSO as the service.
  10. Click Next.
    QVPN Client prompts you to enter the Google Workspace Admin credentials once it opens the default browser.
  11. Click OK.
  12. Enter your Google Workspace Admin credentials and sign in.
  13. Close the browser and return to QVPN Client.
  14. Configure the profile settings.
    1. Specify a profile name.
    2. Select a regional hub from the drop-down menu.
      You can either let the system automatically select the optimal hub for your needs, or you can manually choose a specific hub and specify the WAN port you want to connect to.
    3. Optional: Select Connect immediately After Save if you want to connect to the QuWAN profile immediately after applying the settings.
  15. Locate the QuWAN profile in QVPN Client, and then click Connect.
    QVPN Client opens the default system browser for user authentication.
  16. Enter your Google Workspace Admin credentials and sign in.
    You can close the browser after logging in to Google Workspace Admin and return to QVPN Client.

QVPN Client connects to the QuWAN QBelt VPN Server using Google Workspace Admin SSO.

Further Reading

Was this article helpful?

Yes. No.
100% of people think it helps.
Thank you for your feedback.

Please tell us how this article can be improved:

If you want to provide additional feedback, please include it below.

Choose specification

      Show more Less

      Choose Your Country or Region

      back to top