YouTrack as SAML Identity Provider for Google Apps for Work
When you configure a YouTrack server as the Identity Provider for your Google Apps instance, end-users can log into Google Apps with their credentials in YouTrack or any other authentication module enabled in YouTrack.
This configuration also enables single-sign-on. When a user logs into one of the services that is connected to YouTrack, they are logged into all connected services.
Before you start, verify the following prerequisites:
You must have administrative privileges in both Google Apps for Work and YouTrack.
To log into Google Apps with YouTrack, a user must have a registered account in Google Apps. In Google Apps, it is not allowed to create new users automatically via SAML.
You must have the SSL certificate file that you use for SAML 2.0 in YouTrack. You will need to upload this file to Google Apps during the configuration.
Due to the Google Apps requirements, only end-users can log into Google Apps using a third-party SAML IdP (in this case, YouTrack). Google Apps administrators can only log in directly on the Google Admin console login page. For details, refer to this Google documentation page.
Keeping this in mind, use a non-administrative account to test the SAML configuration.
To configure your Google Apps instance:
In your Google Apps instance, sign in to the Admin Console.
Open the Security page.
Select the Set up single sign-on (SSO) panel.
Enable the Setup SSO with third party identity provider option.
Configure the parameters:
Sign-in page URL
Paste the content of the Sign In URL field on page of the YouTrack server.
Sign-out page URL
Paste the content of the Sign Out URL field on the page of the YouTrack server.
Change password URL
If you want to redirect all your end-users who try to change their passwords at Google Apps to YouTrack, then enter the URL of the login page of your YouTrack instance in the following format:
<YouTrack server Base URL>/auth/loginFor details, refer to the Google Apps documentation page.
Upload the file of the SSL certificate that is packed in the SSL key store set up for SAML in YouTrack.
Use a domain specific issuer
Choose whether Google should whether to include a standard or domain specific issuer. Standard issuer is
google.com. Format of the domain specific issuer is
google.com/a/<your domain>For details, refer to the Google Apps documentation page.
Provide a semicolon-separated list of IP addresses that should always be routed through YouTrack for authentication. By default, we recommend that you leave the field blank to authenticate all end-users via YouTrack.
In YouTrack, select Access Management section of the Administration menu.from the
Select the Registered Service Providers tab.
Click the Register service provider button.
In the dialog, enter the parameters of your Google Apps instance:
Enter a name to be displayed for the Google Apps instance in YouTrack.
Enter either standard or domain-specific issuer depending on the Use a domain specific issuer option status.
Optionally, enter a description of the Google Apps instance.
Paste the Access Consumer Service (ACS) URL of your Google Apps instance in the format:
YouTrack should send
Enable the option.