Google Workspace - Configure Single Sign-On Authentication

In this article, you will learn how to set up Single Sign-On (SSO) using the SAML protocol in Google Workspace. SSO is an authentication method that allows users access to multiple applications with a single account. This will allow you to onboard your users using SSO and let them access the Staffbase platform using the same credentials they use to access other platforms in your organization.

• You have access to the Google Workspace Admin Console.
• You need to have super administrator permissions in Google Workspace.
  Read more on super administrator role and permissions.

For creating an app integration in Google Workspace, you need to receive the following from Staffbase Support:

• Entity ID: The Identifier acts as a unique identifier for your Staffbase platform domain in Google Workspace.
• Start URL: The Start URL directs Google Workspace where to send its SAML Response after authenticating a user.
• ACS URL: The ACS URL directs the SAML response to Staffbase server after authenticating a user. It is similar to the Start URL but does not include the query string part of the URL (without the part starting with the question mark).

You need to create a Custom SAML App in Google Workspace to set up SSO.

1. In Google Admin Console, go to Apps > Web and mobile apps.

2. Click Add App > Add custom SAML app.

3. Provide a name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application. Click Continue.

5. Under Download IdP metadata, click Download Metadata and click Continue.

6. Under Service provider details, provide the following details, and click Continue:

• ACS URL: Provide the ACS URL you received from Staffbase.
• Entity ID: The URI you received from Staffbase.
• Start URL: Provide the URL you received from Staffbase.
• Signed response: Enable the option.
• Name ID format: UNSPECIFIED.
• Name ID: Basic Information > Primary email.

• 7. Click Add Mapping and add the following attributes:

• Google Directory attribute: Basic Information > First Name ->

  • App attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

• Google Directory attribute: Basic Information > Last Name ->

  • App attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

• Google Directory attribute: Basic Information > Primary email ->

  • App attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

8. Click Finish.

Provide Staffbase the IdP Metadata for the app you created.

After creating the app, you can decide which Google Workspace users need access to the Staffbase platform using SSO.

1. In the app you created, click User access.

The Settings for users opens.

2. You can enable it for everyone by clicking ON for everyone.

3. On the left side, you can turn ON the service only for specific groups or organizational units.

4. Search for the user or group you want to add and click Assign.
   You have assigned users or groups to the app integration.

After you have provided Staffbase Support with the Metadata, you will be informed when SSO was added to your Staffbase instance and is ready for testing.

After testing the SSO authentication works as expected, you can add all users and/or groups in Google Workspace to the app.

You have configured and enable SSO for your Staffbase platform.

• Google Workspace - Set up your own custom SAML app