Skip to main content

Google integrations

Google SAML2 SSO

Introduction

Connect Flexopus with your Google Workspace Directory (formerly known as Google G-Suite) via a SAML2 Single Sign On integration. With the integration, you can manage which Google Workspace users should have access to Flexopus and force them to use their Google credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be created after the first successful SAML2 SSO login attempt to avoid a manual user creation process at Flexopus.


Setup Instruction Manual

Follow the step by step introduction manual to configure the integration. The manual also includes best practices and solution for some commonly made errors during the configuration. Still, if you need help with the setup, feel free to reach out to our support team via support@flexopus.com.

💡
Note: You can find a general Google documentation about the SAML app setups here.

STEP 1 - Create custom SAML app

Open the Google Workspace Admin Console and select Apps > Web and Mobile Apps (or use this link). Select the option Add app > Add custom SAML app.

Create custom SAML app

Enter the App-Details
App-Name: Flexopus SSO
Description: Workplace Management Software
You can download an app icon here or navigate to our website and download the logo pack here:

App Details

Click in the Option 1 to the Download Metadatabutton. You will need to upload the downloaded file in Flexopus. Click Continue.

Download Metadata

On this page, you need to enter the ACS URL, Entity ID and the Start URL. These configuration parameters can be found within Flexopus. Navigate in Flexopus as an administrator to Dashbaord > Settings > Authentication. Click in the Add provider button and select the SAML2 SSO option.

Create SAML2 SSO Provider

Copy the URLs from Flexopus to your Google configuration:
Entity ID = Entity ID asd
Callback (ACS) URL= ACS URL
Relay state = Start URL (optional)
Leave the signed response = deactivated! The responses are still sent signed, but only the assertion. This corresponds to the software standard.
Name ID format = PRESISTENT
Name ID = Information > Primary email

Click Continue and first go back to Flexopus to finish the configurations there.

Configuration paramaters
Configure the parameters
💡
Note: Start URL is the default relay state at Google. We must set this value in order to be able to convert the IdP initiated login to an SP initiated login. This setting enables the login when the user clicks on the application from Google. (Select app at the top right)
💡
Note: You can configure multiple Single Sign On providers at the same time. In most of the cases there is only one Identity Provider (IdP), however in an organization with multiple companies may have multiple IdPs. For this reason, there is a prefix in the URL to differentiate between the SAML2 URLs per IdP.

STEP 2 - Configure Flexopus

In Flexopus navigate to Dashboard > Settings > Authentication and select the created SAML2 Provider. Enable the SAML2 SSO and select instead of the metadata URL option the Metadata file option for the configuration. Upload the downloaded Metadata File from Google.

Upload Metadata File

Enter the name of the SAML2 Login button, which will be displayed on the login page. Recommendation: SSO Login

(optional) Enable the synchronization of the fields that you configured in the SAML2 settings: jobtitle or department

Fields and button name

In the security settings, set at the allowed domains for SSO a * (star) and press ENTER. By this, you allow every user to log in that is configured in your Google directory for the login.

By default, the SAML2 SSO user are registered after the first login attempt automatically. This is good for you, since you don't need to create the user profiles manually one by one before the first login, however you can disable this setting (not recommended).

Security settings

SAVE your settings in the bottom.

You can find a SAML2 Extension in the bottom to synchronize the avatar via the Management API. That will be configured in a later step.


STEP 3 - Attribute mapping

Go back to your Google configurations and continue with the step attributes. Set the attributes as listed below.

Google directory attributes App attributes Note
Primary email http://schemas.xmlsoap.org/claims/EmailAddress required
Primary email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn required
First name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname required
Last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname required
Department department optional
Title jobtitle optional
Attribute mapping
READ IT!!! As you can see, we set the unique principal name to the primary email address. This is good as long the email stays the same. Unfortunately, it changes sometime (example: due to a marriage, the name of the employee changes.) In cases like this, an email address change causes the change of the UPN and this will lead to a new user in Flexopus, since the unique UPN field changed. Due to our current knowledge, Google does not provide any more reliable user specific identifier, that can be mapped via SAML2. So you have two options: You accept the problem and use the primary email address, or you maintain a custom UPN field for the users, which stays unique over the time. In order to have a long term solution for this issue, we recommend the second option, if it can be realized. Note that this is not a Flexopus specific issue.
READ IT!!! Once you set the UPN, do not change it! UPN = Unique Principal Name. Unique attributes are not supposed to change. Contact us, if you need help with it. Changing that field could lead to duplicated user entries. Mixing up the UPNs between users can lead to even bigger problems!

You can leave the group membership empty. For the Google Group synchronization, we have a more professional way implemented through the Google Management API. For more information, visit the article once you finished this setup.

Google Groups Sync
Why synchronizing Google Groups? The integration is recommended for customers using Google Workspace internally as Identity Provider (IdP). User groups on the organizational level are often already defined and managed within Google. You can synchronize these groups to Flexopus using the Google Directory API with domain-wide delegation. The synchronized groups

Click Finish

STEP 4 - Configure who can log in

If you try to log in now into Flexopus, you will see an error message, since you did not configure who can or cannot log in from your Google Workspace user directory. You can set it under the user access tab.

User access

Open the settings and decide which organizational unit or group can log in into the application. It's recommended enabling the login for the whole organization in case you don't have any reasonable limitations in place. In this case, you don't need to maintain the user's access for the login, and you can reduce the number of possible support cases regarding the login configuration.

User access configuration

STEP 5 - Test the configuration

Open Flexopus in a new incognito window and test the login. You should be able to log in with an existing or a new user, depending on how you configured the access rights in your Google Workspace Directory and Flexopus.

💡
Note: It is possible that Google's settings will not be applied immediately. Wait about 30 minutes and test it again.

Once the SAML2 SSO configured successfully, you can optionally disable the E-Mail and Password login and enforce all users to user Single Sign On. Navigate to Dashboard > Settings > Authentication. You can find two options here:

  • Disable password login
    You can disable all email and password login forms.
  • Hide login form
    You can hide the login form on the main login page with it, but there is a secondary login form ../dashboard/auth/login which you can leave open to use it for a backup admin user.
Disable emails and password login

Trouble Shooting / FAQ

Duplicate user was created!

This can happen, if the UPN changed over the time. Contact us for support: support@flexopus.com

One user can log in in the user profiles of others!

This can happen, if you mixed up the UPNs. of the users in your Google Workspace Directory over the time. Contact us for support: support@flexopus.com