Skip to main content

Google integrations

Google SAML2 SSO

Google SAML2 SSO

Introduction

Connect Flexopus with your Google Workspace Directory (formerly known as Google G-Suite) via a SAML2 Single Sign On integration. With the integration, you can manage which Google Workspace users should have access to Flexopus and force them to use their Google credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be created after the first successful SAML2 SSO login attempt to avoid a manual user creation process at Flexopus.

Setup Instruction Manual

Follow the step by step introduction manual to configure the integration. The manual also includes best practices and solution for some commonly made errors during the configuration. Still, if you need help with the setup, feel free to reach out to our support team via support@flexopus.com.

💡
Note: You can find a general Google documentation about the SAML app setups here.

STEP 1 - Create custom SAML app

Open the Google Workspace Admin Console and select Apps > Mobile and Web Apps (or use this link). Select the option Add app > add custom SAML app.

Create custom SAML app

Enter the App-Details
App-Name: Flexopus SSO
Description: Workplace Management Software
You can download an app icon here or navigate to our website and download the logo pack here:

FLEXOPUS_BLACK_512
FLEXOPUS_BLACK_512.png
5 KB
download-circle
App Details
  • Click on Option 1 to download the metadata file by selecting the Download Metadata button.
  • After downloading the file, upload it in Flexopus.
  • Click Continue to proceed with the setup process.
Download Metadata
  1. Navigate in Flexopus as an administrator to Dashboard > Settings > Authentication.
  2. Click on the Add provider button.
  3. Select the SAML2 SSO option.
  4. Retrieve the ACS URL, Entity ID, and Start URL from this section.
  5. Enter these configuration parameters on the corresponding page for your setup.
Create SAML2 SSO Provider
  • Copy the URLs from Flexopus to your Google configuration:Entity ID = Entity IDCallback (ACS) URL = ACS URLRelay state = Start URL (optional)
  • Leave the signed response = deactivated! (The responses are still sent signed, but only the assertion. This corresponds to the software standard.)
  • Name ID format = PERSISTENT
  • Name ID = Information > Primary email
  • Click Continue and return to Flexopus to complete the configuration.
Configuration paramaters
Configure the parameters
💡
Note: Start URL is the default relay state at Google. We must set this value in order to be able to convert the IdP initiated login to an SP initiated login. This setting enables the login when the user clicks on the application from Google. (Select app at the top right)
💡
Note: You can configure multiple Single Sign On providers at the same time. In most of the cases there is only one Identity Provider (IdP), however in an organization with multiple companies may have multiple IdPs. For this reason, there is a prefix in the URL to differentiate between the SAML2 URLs per IdP.

STEP 2 - Configure Flexopus

  • In Flexopus, navigate to Dashboard > Settings > Authentication.
  • Select the created SAML2 Provider.
  • Enable the SAML2 SSO.
  • Choose the Metadata file option instead of the Metadata URL for the configuration.
  • Upload the downloaded Metadata File from Google.
Upload Metadata File
  • Enter the name of the SAML2 Login button to be displayed on the login page. Recommended: SSO Login.
  • (Optional) Enable the synchronization of the fields configured in the SAML2 settings such as job title or department.
Fields and button name
  • In security settings, set the allowed domains for SSO to * (star) and press ENTER to allow all users configured in your Google directory to log in.
  • By default, SAML2 SSO users are registered automatically after their first login attempt, so you don’t need to create user profiles manually. You can disable this setting if needed, though it’s generally not recommended.
Security settings

Save your settings in the bottom.

You can find a SAML2 Extension in the bottom to synchronize the avatar via the Management API. That will be configured in a later step.

STEP 3 - Attribute mapping

Go back to your Google configurations and continue with the step attributes. Set the attributes as listed below.

Google directory attributes App attributes Note
Primary email http://schemas.xmlsoap.org/claims/EmailAddress required
Primary email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn required
First name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname required
Last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname required
Department department optional
Title jobtitle optional
Attribute mapping
As noted, the unique principal name (UPN) is set to the primary email address, which works well as long as the email remains unchanged. However, email addresses can change (e.g., after a name change due to marriage). When this occurs, the UPN updates, resulting in a new user in Flexopus since the unique UPN has altered. Currently, Google doesn’t provide a more stable identifier that can be mapped via SAML2. Therefore, you have two options:

1. Accept the issue and use the primary email as the identifier.

2. Maintain a custom UPN field for users that remains unique over time.

For a long-term solution, option two is recommended if feasible. This challenge isn't unique to Flexopus.
Once the UPN (Unique Principal Name) is set, do not change it! Unique attributes are meant to remain constant. Changing this field can lead to duplicated user entries, and swapping UPNs between users can create even larger issues. If assistance is needed, please contact us directly.

You can leave the group membership empty. For the Google Group synchronization, we have a more professional way implemented through the Google Management API. For more information, visit the article once you finished this setup.

Flexopus: Google Groups Sync
Learn how to synchronize Google Groups with Flexopus using the Google Directory API for efficient user and group management.
Flexopus Help CenterDaniel Fafula

Click Finish

STEP 4 - Configure who can log in

To avoid login errors when accessing Flexopus, configure login permissions in your Google Workspace directory. Go to the User Access tab and specify which users are allowed or restricted from logging in.

User access

Open the settings and decide which organizational unit or group can log in into the application. It's recommended enabling the login for the whole organization in case you don't have any reasonable limitations in place. In this case, you don't need to maintain the user's access for the login, and you can reduce the number of possible support cases regarding the login configuration.

User access configuration

STEP 5 - Test the configuration

Open Flexopus in a new incognito window and test the login. You should be able to log in with an existing or a new user, depending on how you configured the access rights in your Google Workspace Directory and Flexopus.

💡
Note: It is possible that Google's settings will not be applied immediately. Wait about 30 minutes and test it again.

After configuring SAML2 SSO, you can enforce Single Sign On by disabling email and password login:

  1. Disable password login: This option removes all email and password login forms.
  2. Hide login form: This hides the login form on the main page, though a secondary login form remains accessible at ../dashboard/auth/login for backup admin use.

Navigate to Dashboard > Settings > Authentication to access these options.

Disable emails and password login

Trouble Shooting / FAQ

Duplicate user was created!

This can happen if the UPN changed over the time. Contact us for support: support@flexopus.com

One user can log in in the user profiles of others!

This can happen if you mixed up the UPNs of the users in your Google Workspace Directory over the time. Contact us for support: support@flexopus.com