Configure SAML-based SSO using Google Workspace (Formally G-Suite)

Overview

Get started with simplified user logins by setting up single sign-on (SSO) with Google Workspace for your site. After you set up SSO, your users can sign in to the mobile app by using their Google Workspace credentials.

Set up a new SAML app

1. Sign in to your Google Admin console.
   
2. From the Admin console home page, go to Apps > Web and mobile apps.
   
3. Click Add App > Add custom SAML app.
   
   
4. On the App details page:
   
1. Enter the name of the custom app.
   
2. The icon is optional.
   
5. Click Continue.
   
6. On the Google Identity Provider details page copy the SSO URL and Entity Id and download the Certificate
7. Click Continue.
8. On the Service provider details page:
   
1. Enter the ACS URL: https://sia-sso.azurewebsites.net/Saml2/Acs
   
2. Enter the Entity ID: https://sia-sso.azurewebsites.net/Saml2
   
3. Set Name ID format to EMAIL
   
4. Set Name ID to Basic Information > Primary Email
   
9. Click Continue.
   
10. On the Attribute mapping page add the following mappings:
    
1. First Name -> FirstName
   
2. Last Name -> LastName
   
3. (Optional) Any google directory attribute -> Role
1. Choose a directory attribute that can be used to determine the user's role, like "Organization unit path", "Department" or "Cost center".
   
2. We will use the value of this attribute to map users to roles in our system.
   
3. "Organization unit path" is generated based on the user's organization unit.
   
4. Considering the following organization unit structure the path would be the:
   Root -> /
   Test unit -> /Test unit
   Test unit inside another unit -> /Test unit/Test unit inside another unit
   

1. Click Finish.
   

Turn on your SAML app

1. Go to Apps > Web and mobile apps.
   
2. Select your app.
   
3. Click User access.
   
4. To turn on for everyone in your organizaion, click On for everyonve and then click Save.
   
   
5. (Optional) If you only want to turn on the app for a set of users or organizational units, please follow the "Turn on your SAML app" section of the official guide.
   

Email us the setup information

Please send the SSO URL, Entity ID and the Certificate to content@schoolinfoapp.com with subject "SSO - G-Suite" along with the the desired default role and an optional role mapping. Please list the possible values which can be in the “Role” attribute and what role should it translate to in SchoolInfoApp’s system. The default role will be assigned to all users we are unable to map.

​

Example setup information:

1. SSO URL: https://accounts.google.com/o/saml2/idp?idpid=C00mnztyz
2. Entity ID: https://accounts.google.com/o/saml2?idpid=C00mnztyz
   
3. Certificate: your_cert.pem (attached)
   
4. Default role: Other
   
5. (Optional) Role mapping:
   
1. Your role 1 -> Administrator (this is the role it will be mapped to in our system)
   
2. Your role 2 -> Student

Our team will let you know once everything is configured on our end.

Troubleshooting common issues

Error: app_not_configured_for_user

This error is generated by Google and means that the user you tried logging in with does not have access to the SAML app in G-Suite.

Please review the steps in the Turn on your SAML section to make sure that you have setup user access correctly.

If everything seems to be set up correctly try turning access Off for everyone, then turning it back On after a minute and see if that solves the issue.

• Related Articles

• Configure SAML-based SSO using Office 365

  Office 365 uses Azure Active Directory (Azure AD) as a user store so refer to Configure SAML-based SSO using Azure Active Directory. In the last step, you have to send us an email. In that email let us know, that you use Office 365.

• Configure SAML-based SSO using Azure Active Directory

  Overview Get started with simplified user logins by setting up single sign-on (SSO) with Azure Active Directory for your site. After you set up SSO, your users can sign in to the mobile app by using their Azure AD credentials. Create an application ...

• Configure SAML-based SSO using Active Directory Federation Services (AD FS)

  Overview Get started with simplified user logins by setting up single sign-on (SSO) with Active Directory Federation Services for your site. After you set up SSO, your users can sign in to the mobile app by using their AD credentials. Add new Relying ...

• Google Single Sign On

  Overview To explain the three Google Single Sign On Options supported. We offer three different solutions to login with Google accounts which can be set up. Google Sign-in Enabling Google Sign-in is a way to allow any Google user to log into the app ...

• Configure SAML-based SSO for any identity provider

  Overview This article lists all information you need to add our service provider (SP) to your system and what we require to add your identity provider (IdP) to our system. About our service provider Metada location: ...