Learn how to configure Single Sign-On using SAML protocol in Google Workspace to authenticate users to your Staffbase platform.
In this article, you will learn how to set up SSO using the SAML protocol in Google Workspace. SSO is an authentication method that allows users access to multiple applications with a single account. This will allow you to onboard your users using SSO and let them access the Staffbase platform using the same credentials they use to access other platforms in your organization.
SSO is optional for user management. You can choose an option based on your business requirements. Learn more about other options.
- You have access to the Google Workspace Admin Console.
- You need to have super administrator permissions in Google Workspace.
Read more on super administrator role and permissions.
For creating an app integration in Google Workspace, you need to receive the following from Staffbase Support:
- Entity ID: The Identifier acts as a unique identifier for your Staffbase platform domain in Google Workspace.
- Start URL: The Start URL directs Google Workspace where to send its SAML Response after authenticating a user.
- ACS URL: The ACS URL directs the SAML response to Staffbase server after authenticating a user. It is similar to the Start URL but does not include the query string part of the URL (without the part starting with the question mark).
You need to create a Custom SAML App in Google Workspace to set up SSO.
Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform.
- In Google Admin Console, go to Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
- Provide a name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application. Click Continue.
- Under Download IdP metadata, click Download Metadata and click Continue.
You need to provide the metadata you downloaded to Staffbase.
- Under Service provider details, provide the following details, and click Continue:
- ACS URL: Provide the ACS URL you received from Staffbase.
- Entity ID: The URI you received from Staffbase.
- Start URL: Provide the URL you received from Staffbase.
- Signed response: Enable the option.
- Name ID format: UNSPECIFIED.
- Name ID: Basic Information > Primary email.
The Name ID value and the identifier in your Staffbase platform must match for each user using SSO.
If you want to use a different identifier value than the one already in place for your users in the Staffbase platform, you must first update the user identifiers in your Staffbase platform. In such a case, ensure that you also use these new identifiers for all future user management.
-
- Click Add Mapping and add the following attributes:
-
Google Directory attribute:
Basic Information > First Name
->- App attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- App attribute:
-
Google Directory attribute:
Basic Information > Last Name
->- App attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- App attribute:
-
Google Directory attribute:
Basic Information > Primary email
->- App attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- App attribute:
- Click Finish.
Provide Staffbase the IdP Metadata for the app you created.
You can download the Idp Metadata in step 5 of the Creating a Custom SAML App section. Alternatively, you can find it in the overview of the app you created.
After creating the app, you can decide which Google Workspace users need access to the Staffbase platform using SSO.
Staffbase recommends adding a few users initially to test that everything works as expected.
- In the app you created, click User access.
The Settings for users opens.
- You can enable it for everyone by clicking ON for everyone.
-
On the left side, you can turn ON the service only for specific groups or organizational units.
-
Search for the user or group you want to add and click Assign.
You have assigned users or groups to the app integration.
After you have provided Staffbase Support with the Metadata, you will be informed when SSO was added to your Staffbase instance and is ready for testing.
After testing the SSO authentication works as expected, you can add all users and/or groups in Google Workspace to the app.
You have configured and enable SSO for your Staffbase platform.