YouTrack Standalone 2019.3 Help

YouTrack as SAML Identity Provider for Google Apps for Work

When you configure a YouTrack server as the Identity Provider for your Google Apps instance, end-users can log into Google Apps with their credentials in YouTrack or any other authentication module enabled in YouTrack.

This configuration also enables single-sign-on. When a user logs into one of the services that is connected to YouTrack, they are logged into all connected services.

Before you start, verify the following prerequisites:

  • You must have administrative privileges in both Google Apps for Work and YouTrack.

  • To log into Google Apps with YouTrack, a user must have a registered account in Google Apps. In Google Apps, it is not allowed to create new users automatically via SAML.

  • You must have the SSL certificate file that you use for SAML 2.0 in YouTrack. You will need to upload this file to Google Apps during the configuration.

Due to the Google Apps requirements, only end-users can log into Google Apps using a third-party SAML IdP (in this case, YouTrack). Google Apps administrators can only log in directly on the Google Admin console login page. For details, refer to this Google documentation page.
Keeping this in mind, use a non-administrative account to test the SAML configuration.

To configure your Google Apps instance:

  1. In your Google Apps instance, sign in to the Admin Console.

    Saml ga admin console

  2. Open the Security page.

  3. Select the Set up single sign-on (SSO) panel.

  4. Enable the Setup SSO with third party identity provider option.

    Saml ga security sso

  5. Configure the parameters:

    Parameter

    Description

    Sign-in page URL

    Paste the content of the Sign In URL field on More Settings > SAML2.0 > Settings page of the YouTrack server.

    Sign-out page URL

    Paste the content of the Sign Out URL field on the More Settings > SAML2.0 > Settings page of the YouTrack server.

    Change password URL

    If you want to redirect all your end-users who try to change their passwords at Google Apps to YouTrack, then enter the URL of the login page of your YouTrack instance in the following format: <YouTrack server Base URL>/auth/login For details, refer to the Google Apps documentation page.

    Verification certificate

    Upload the file of the SSL certificate that is packed in the SSL key store set up for SAML in YouTrack.

    Use a domain specific issuer

    Choose whether Google should whether to include a standard or domain specific issuer. Standard issuer is google.com. Format of the domain specific issuer is google.com/a/<your domain> For details, refer to the Google Apps documentation page.

    Network masks

    Provide a semicolon-separated list of IP addresses that should always be routed through YouTrack for authentication. By default, we recommend that you leave the field blank to authenticate all end-users via YouTrack.

  6. In YouTrack, select SAML 2.0 from the Access Management section of the Administration menu.

  7. Select the Registered Service Providers tab.

  8. Click the Register service provider button.

  9. In the dialog, enter the parameters of your Google Apps instance:

    Parameter

    Description

    Name

    Enter a name to be displayed for the Google Apps instance in YouTrack.

    Issuer

    Enter either standard or domain-specific issuer depending on the Use a domain specific issuer option status.

    Description

    Optionally, enter a description of the Google Apps instance.

    Consumer URL

    Paste the Access Consumer Service (ACS) URL of your Google Apps instance in the format: https://www.google.com/a/<yourdomain.com>/acs

    YouTrack should send LogoutResponse

    Enable the option.

Last modified: 16 March 2020