Google SAML2 SSO
Introduction
Connect Flexopus with your Google Workspace Directory (formerly known as Google G-Suite) via a SAML2 Single Sign On integration. With the integration, you can manage which Google Workspace users should have access to Flexopus and force them to use their Google credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be created after the first successful SAML2 SSO login attempt to avoid a manual user creation process at Flexopus.
Setup Instruction Manual
Follow the step by step introduction manual to configure the integration. The manual also includes best practices and solution for some commonly made errors during the configuration. Still, if you need help with the setup, feel free to reach out to our support team via support@flexopus.com.
STEP 1 - Create custom SAML app
Open the Google Workspace Admin Console and select Apps > Web and Mobile Apps
(or use this link). Select the option Add app > Add custom SAML
app.
Enter the App-Details
App-Name: Flexopus SSO
Description: Workplace Management Software
You can download an app icon here or navigate to our website and download the logo pack here:
Click in the Option 1 to the Download Metadata
button. You will need to upload the downloaded file in Flexopus. Click Continue
.
On this page, you need to enter the ACS URL
, Entity ID
and the Start URL
. These configuration parameters can be found within Flexopus. Navigate in Flexopus as an administrator to Dashbaord > Settings > Authentication
. Click in the Add provider
button and select the SAML2 SSO
option.
Copy the URLs from Flexopus to your Google configuration:Entity ID
= Entity ID asd
Callback (ACS) URL
= ACS URL
Relay state
= Start URL (optional)
Leave the signed response = deactivated
! The responses are still sent signed, but only the assertion. This corresponds to the software standard.Name ID format
= PRESISTENT
Name ID
= Information > Primary email
Click Continue
and first go back to Flexopus to finish the configurations there.
STEP 2 - Configure Flexopus
In Flexopus navigate to Dashboard > Settings > Authentication
and select the created SAML2 Provider. Enable
the SAML2 SSO and select instead of the metadata URL option the Metadata file
option for the configuration. Upload the downloaded Metadata File from Google.
Enter the name of the SAML2 Login button, which will be displayed on the login page. Recommendation: SSO Login
(optional) Enable the synchronization of the fields that you configured in the SAML2 settings: jobtitle
or department
In the security settings, set at the allowed domains for SSO a *
(star) and press ENTER
. By this, you allow every user to log in that is configured in your Google directory for the login.
By default, the SAML2 SSO user are registered after the first login attempt automatically. This is good for you, since you don't need to create the user profiles manually one by one before the first login, however you can disable this setting (not recommended).
SAVE
your settings in the bottom.
You can find a SAML2 Extension in the bottom to synchronize the avatar via the Management API. That will be configured in a later step.
STEP 3 - Attribute mapping
Go back to your Google configurations and continue with the step attributes
. Set the attributes as listed below.
Google directory attributes | App attributes | Note |
---|---|---|
Primary email | http://schemas.xmlsoap.org/claims/EmailAddress | required |
Primary email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn | required |
First name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | required |
Last name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | required |
Department | department | optional |
Title | jobtitle | optional |
You can leave the group membership empty. For the Google Group synchronization, we have a more professional way implemented through the Google Management API. For more information, visit the article once you finished this setup.
Click Finish
STEP 4 - Configure who can log in
If you try to log in now into Flexopus, you will see an error message, since you did not configure who can or cannot log in from your Google Workspace user directory. You can set it under the user access
tab.
Open the settings and decide which organizational unit or group can log in into the application. It's recommended enabling the login for the whole organization in case you don't have any reasonable limitations in place. In this case, you don't need to maintain the user's access for the login, and you can reduce the number of possible support cases regarding the login configuration.
STEP 5 - Test the configuration
Open Flexopus in a new incognito window and test the login. You should be able to log in with an existing or a new user, depending on how you configured the access rights in your Google Workspace Directory and Flexopus.
Once the SAML2 SSO configured successfully, you can optionally disable the E-Mail and Password login and enforce all users to user Single Sign On. Navigate to Dashboard > Settings > Authentication
. You can find two options here:
- Disable password login
You can disable all email and password login forms. - Hide login form
You can hide the login form on the main login page with it, but there is a secondary login form../dashboard/auth/login
which you can leave open to use it for a backup admin user.
Trouble Shooting / FAQ
Duplicate user was created!
This can happen, if the UPN changed over the time. Contact us for support: support@flexopus.com
One user can log in in the user profiles of others!
This can happen, if you mixed up the UPNs. of the users in your Google Workspace Directory over the time. Contact us for support: support@flexopus.com