Google Workspace - Configure Single Sign-On Authentication

Learn how to configure Single Sign-On using SAML protocol in Google Workspace to authenticate users to your Staffbase platform.

Employee App
Front Door Intranet

In this article, you will learn how to set up SSO using the SAML protocol in Google Workspace. SSO is an authentication method that allows users access to multiple applications with a single account. This will allow you to onboard your users using SSO and let them access the Staffbase platform using the same credentials they use to access other platforms in your organization.

SSO is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

Prerequisites

Receive information from Staffbase Support

For creating an app integration in Google Workspace, you need to receive the following from Staffbase Support:

  • Entity ID: The Identifier acts as a unique identifier for your Staffbase platform domain in Google Workspace.
  • Start URL: The Start URL directs Google Workspace where to send its SAML Response after authenticating a user.
  • ACS URL: The ACS URL directs the SAML response to Staffbase server after authenticating a user. It is similar to the Start URL but does not include the query string part of the URL (without the part starting with the question mark).

Creating a custom SAML app

You need to create a Custom SAML App in Google Workspace to set up SSO.

Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform.

  1. In Google Admin Console, go to Apps > Web and mobile apps.
Google Application Menu
  1. Click Add App > Add custom SAML app.
Google Create App
  1. Provide a name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application. Click Continue.
Google App Name
  1. Under Download IdP metadata, click Download Metadata and click Continue.

You need to provide the metadata you downloaded to Staffbase.

Google Metadata
  1. Under Service provider details, provide the following details, and click Continue:
Google Service Provider details
  • ACS URL: Provide the ACS URL you received from Staffbase.
  • Entity ID: The URI you received from Staffbase.
  • Start URL: Provide the URL you received from Staffbase.
  • Signed response: Enable the option.
  • Name ID format: UNSPECIFIED.
  • Name ID: Basic Information > Primary email.

The Name ID value and the identifier in your Staffbase platform must match for each user using SSO.


If you want to use a different identifier value than the one already in place for your users in the Staffbase platform, you must first update the user identifiers in your Staffbase platform. In such a case, ensure that you also use these new identifiers for all future user management.

    1. Click Add Mapping and add the following attributes:
  • Google Directory attribute: Basic Information > First Name ->

    • App attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Google Directory attribute: Basic Information > Last Name ->

    • App attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • Google Directory attribute: Basic Information > Primary email ->

    • App attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  1. Click Finish.

Provide Staffbase your app integration details

Provide Staffbase the IdP Metadata for the app you created.

You can download the Idp Metadata in step 5 of the Creating a Custom SAML App section. Alternatively, you can find it in the overview of the app you created.

Assigning users

After creating the app, you can decide which Google Workspace users need access to the Staffbase platform using SSO.

Staffbase recommends adding a few users initially to test that everything works as expected.

  1. In the app you created, click User access.
Google User Access

The Settings for users opens.

  1. You can enable it for everyone by clicking ON for everyone.
Google Assignments
  1. On the left side, you can turn ON the service only for specific groups or organizational units.

  2. Search for the user or group you want to add and click Assign.
    You have assigned users or groups to the app integration.

Test SSO

After you have provided Staffbase Support with the Metadata, you will be informed when SSO was added to your Staffbase instance and is ready for testing.

After testing the SSO authentication works as expected, you can add all users and/or groups in Google Workspace to the app.

You have configured and enable SSO for your Staffbase platform.

Additonal helpful information