This note describes how to configure your Dome9 account to use Single Sign-on (SSO) from Google GSuite using SAML.
- In G Suite Admin console, navigate to SAML apps.
- Click the “+” button to add a new service.
- Click SETUP MY OWN CUSTOM APP. You will be presented with Step 2.
- Download the Certificate. We will use it in a later step.
- Keep the Google Admin Console open on this page.
- In a new tab, open the Dome9 console and navigate to: Administration -> Account Settings -> SSO.
- Click Enable.
- On the Dome9 SSO Configuration page set the following:
Account ID – This can be any text you want. No need to make it complicated
Issuer – Copy the “Entity ID” field from Step 2 of the G Suite page and paste it here.
Idp Endpoint URL - Copy the “SSO URL” field from Step 2 of the G Suite page and paste it here.
X.509 certificate - Using a text editor, open the certificate file you downloaded earlier and copy the full contents. Paste it in this field.
Just-in-time provisioning for the account – This option allows for Dome9 users to be created and deleted when a G Suite user is created or deleted.
- Click Save. The page will refresh and you should now see:
Leave this page open.
- Switch back to G Suite Console and click Next.
- Fill in the details as you like. These are details that users will see.
- Click Next. Fill in the following fields.
ACS URL – Copy this URL from the “Login Page” field of the Dome9 SSO Configuration. Add: /saml after the /sso (full URL should look like –
Entity ID - This is always https://secure.dome9.com
Name ID Format – Change to “EMAIL”
- Continue to click Next until you are back at the SAML apps page.
- Click on the newly created Dome9 SAML app.
- Click Edit Service.
- Choose to turn ON/OFF for your organization (or specific groups).
- Switch back to Dome9 Console and navigate to: Administration -> Users
- Using the Actions menu next to a username, choose Connect to SSO to enable the user to login using SSO.
- When SSO is enabled, creating new users will enable SSO by default for the user.
- Connecting a user to SSO will disable the normal login method for that user.
- When disconnecting SSO from a user, the user will need to re-enable MFA in Dome9 console. (If MFA was originally used)
Login using SSO
If a user has permissions in G Suite AND Dome9 to use SSO, once logged in to their G Suite account, the user can click the menu in Google and choose Dome9 from the list of apps.