This article is intended as a guide to perform the SAML2 SSO integration for Google Workspace. Some parameters may vary according to each Workspace account. Please, have in consideration that some generic or example values are used:

  • {subdomain} : It is used as a reference to your GOintegro Platform Subdomain. For example, if your assigned URL is "https://myplatform.gointegro.com" then your subdomain is 'myplatform' (without quotes)

Process Overview

  1. Set up a new "GOintegro" SAML App at Google Workspace and GOintegro Admin Panel

  2. Allow for Google Workspace Users

  3. Test integration


SAML2 App set up at Google Workspace and GOintegro Admin Panel

⚠️ For this setting you need access to your Google Workspace Admin console

  1. Login to your Google Workspace Admin Console

  2. Navigate to: Apps > Web and mobile apps

  3. Clic on Add app and then choose Add custom SAML app. A step-by-step wizard will be opened:

Step 1 - App details

  • App name: This is the app name that will be displayed in the Google Apps deck. Example: GOintegro

  • App icon: This is the icon that will be used in the Google Apps deck. It is optional

Step 2 - Google Identity Provider details

Follow the "Option 2" and copy / paste the displayed parameters to your GOintegro's Admin Panel (Admin Panel > Platform : Login > Single Sign On):

  • SSO URL: Copy this url and paste in the Login URL field in Admin Panel

  • Entity ID: Copy this url and paste in the Entity ID field in Admin Panel

  • Certificate: Download the certificate. It will be downloaded in a .pem extension file. You need to change the file extension for .crt and then attach it in Admin Panel

  • SHA-256 fingerprint: This data is not required for this configuration

At the end of this step, your GOintegro Admin Panel Single Sign On set up form will be partially complete. You'll complete it and be able to Save in the next steps

Step 3 - Service Provider Details

  • ACS URL: Use the following, replacing {subdomain} with your actual platform subdomain

https://auth.gointegro.com/sso/module.php/saml/sp/saml2-acs.php/{subdomain}

Example:
https://auth.gointegro.com/sso/module.php/saml/sp/saml2-acs.php/myplatform
  • Entity ID: Use your {subdomain}. Example: myplatform

  • Start URL: Leave blank

  • Signed response: Leave disabled

  • Name ID Format: Choose 'TRANSIENT'

  • Name ID: Choose 'Basic Information > Primary email'

Step 4 - Attribute mapping

In this screen you need to map your Google Account user attributes to be used in this SSO integration. Required Attributes are Email Address, First Name and Last Name.

⚠️ Please have in consideration that the following steps will guide you using the default 'Google Directory attributes'.

For each attribute, tap on "Add Mapping" and complete the mapping by selecting a 'Google Directory attribute' and the out-coming 'App attribute':

  • Email Address: Choose 'Basic information > Primary email' and type 'Email' (without quotes) in the 'App Attribute' field

  • First Name: Choose 'Basic information > First name' and type 'Name' (without quotes) in the 'App Attribute' field

  • Last Name: Choose 'Basic information > Last name' and type 'Surname' (without quotes) in the 'App Attribute' field

Now, in your GOintegro Admin Panel, complete the following:

  • In the 'SAML attribute for E-mail' type 'Email' (without quotes)

  • Check 'Create user accounts at the first login' to enable the rest of attributes

  • In the 'SAML attribute for Name' type 'Name' (without quotes)

  • In the 'SAML attribute for Last Name' type 'Surname' (without quotes)

Please note that the attributes name must exactly match in both "Google Workspace" and "Admin Panel" for the integration to work successfully.

Finally, you can Finish your Google Workspace set up wizard to save the configuration. You'll be redirected to a new page with all the integration details.

In order to also finish your GOintegro Admin Panel set up, you have to define if to enable a Session duration timeout for both Web and Mobile. If not decided yet, you can select "Session never expires" for now and change this settings later if necessary. Tap on SAVE to complete the Set Up. A prompt message will warn you that all existing session will be terminated. Acknowledge it to proceed.


Allow for Google Workspace Users

Now that the integration is completed, the next step before performing a test is to allow Google Workspace users to access the new SAML App. At this point you can allow access for all account users, groups or organizational units.

From the GOintegro SAML App page at Google Workspace:

  1. Go to the "User access" section and tap on the chevron in the top right corner to expand the view

  2. You'll be navigated to a new screen with details on user access allowance.

  3. The left column lets you choose between "All users in this account", "Groups" and "Organizational Units". Choose "All users in this account" (you can change this later)

  4. A box in the right will show you the "Service status" for the previous selection. By default it will be set as "OFF for everyone". Choose "ON for everyone" and tap SAVE

  5. Now, all users in this account have access to this recently created SAML app. You can return to the GOintegro SAML app page using the breadcrumb links below the page header


Test integration

Finally, you can test the SAML integration between Google Workspace and GOintegro. To do so, locate the "TEST SAML LOGIN" link in the left part of the GOintegro SAML app page in Workspace. Tap on it to perform a test.

If the set up is successful, you'll be logged in and redirected to the home page of your platform

If there's a a problem, check at the URL of the error page where redirected. It contains a code that will help our Support Team to solve the issue.


A few considerations regarding this integration

Please have in mind that this tutorial has assumed some settings that may differ from your preference for this SAML integration:

  • We assume that the same person is completing the configuration for both Google Workspace and GOintegro Admin Panel at the same time. If not possible, Workspace set up may be performed first and then pass over the required parameters to configure the Admin Panel

  • Step 1 - App details: You can use a different App name for your instance. This name can be changed afterwards without altering the integration. But the integration icon can only be set at this step

  • Step 2 - Identity provider details: The certificate you download from google has an expiration date. It is usually valid for 5 years, but we suggest you keep tracking on this date in order to renew it and update the new certificate at GOintegro Admin Panel

  • Step 4 - Attribute mapping: In this guide we suggest to use default attribute names (Name, Surname, Email). You may decide to use different attribute names, but it is required that those names exactly match when configuring attributes at Admin Panel. Any difference will end up in an error when signing in

  • Step 4 - Admin Panel configuration: In this guide we suggested to enable the 'Create user accounts at the first login' feature. This is optional and you may wish to disable it. If so, the integration will only authenticate active users that already exist in GOintegro by matching by the email address. If a Workspace user has access allowed to this app but does not exist as an active user in GOintegro, the login integration will fail. Also, when this setting is disabled, the "First Name" and "Last Name" are not necessary

  • If your SSO integration fails to complete log in, for example if your certificate has expired or if there was a misconfiguration, you as a GOintegro Admin still have the option to log into the Admin Panel and make the necessary corrections. To do so, just navigate to your Admin Panel URL (for example https://myplatform.gointegro.com/adminpanel) and you'll be able to log in your GOintegro credentials

Did this answer your question?