In this article, you will learn how to set up
SSO is optional for user management. You can choose an option based on your business requirements. Learn more about other options.
Prerequisites
- You have access to the Google Workspace Admin Console.
- You need to have super administrator permissions in Google Workspace.
Read more on super administrator role and permissions.
Get the required SAML configuration details
You can find these values:
-
In Staffbase Studio, navigate to Settings > SSO Configuration and copy the following details:
-
Entity ID: The Identifier acts as a unique identifier for your Staffbase platform domain in Google Workspace.
-
Start URL: The Start URL directs Google Workspace where to send its SAML Response after authenticating a user.
-
ACS URL: The ACS URL directs the SAML response to Staffbase server after authenticating a user. It is similar to the Start URL but does not include the query string part of the URL (without the part starting with the question mark).
Creating a custom SAML app
You need to create a Custom SAML App in Google Workspace to set up SSO.
Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform.
- In Google Admin Console, go to Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
- Provide a name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application. Click Continue.
- Under Download IdP metadata, click Download Metadata and click Continue.
Upload the downloaded metadata in Studio under Settings > SSO to complete the setup.
- Under Service provider details, provide the following details, and click Continue:
- ACS URL: Add the ACS URL you received from Staffbase Studio.
- Entity ID: The URI you received from Staffbase Studio.
- Start URL: Add the URL you received from Staffbase Studio.
- Signed response: Enable the option.
- Name ID format: UNSPECIFIED.
- Name ID: Basic Information > Primary email.
The Name ID value and the identifier in your Staffbase platform must match for each user using SSO.
If you want to use a different identifier value than the one already in place for your users in the Staffbase platform, you must first update the user identifiers in your Staffbase platform. In such a case, ensure that you also use these new identifiers for all future user management.
-
- Click Add Mapping and add the following attributes:
-
Google Directory attribute:
Basic Information > First Name
->- App attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- App attribute:
-
Google Directory attribute:
Basic Information > Last Name
->- App attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- App attribute:
-
Google Directory attribute:
Basic Information > Primary email
->- App attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- App attribute:
- Click Finish.
Add your app integration details in Staffbase
In Staffbase Studio, go to Settings > SSO and upload the IdP metadata you downloaded from Google.
You can download the Idp Metadata in step 5 of the Creating a Custom SAML App section. Alternatively, you can find it in the overview of the app you created.
Assigning users
After creating the app, you can decide which Google Workspace users need access to the Staffbase platform using SSO.
Staffbase recommends adding a few users initially to test that everything works as expected.
- In the app you created, click User access.
The Settings for users opens.
- You can enable it for everyone by clicking ON for everyone.
-
On the left side, you can turn ON the service only for specific groups or organizational units.
-
Search for the user or group you want to add and click Assign.
You have assigned users or groups to the app integration.
Test SSO
After you have uploaded the metadata in the SSO section of Staffbase Studio, SSO will be added to your Staffbase instance and will be ready for testing.
After testing the SSO authentication works as expected, you can add all users and/or groups in Google Workspace to the app.
You have configured and enable SSO for your Staffbase platform.