Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Setting up Google Workspace for SAML-based Single Sign-On (SSO)

By SueAnn See
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Administrators responsible for managing organization security settings in Ideagen Hub.

Admin Console access is required.

You can set up Google Workspace as your corporate identity provider (IDP) in Ideagen Hub using SAML, which is the preferred protocol since Google Workspace has limited OIDC SSO support.

To use an external identity provider like Google, you will need to ensure the Hub user's authentication type is set to External.

This article outlines how to configure a new SAML app in the Google Workspace Admin console and link it to Ideagen Hub.

Creating a SAML app

To create a SAML app in Google Workspace.

  1. Go to Google Workspace.

  2. Log in to the Admin console.

  1. Expand Apps.

  2. Select Web and mobile apps.

  3. Click Add app.

  4. Select Add custom SAML app.

  1. Enter a name for your app.

  2. Click Continue.

  1. Click Download Metadata.
    Keep the file in a secure place where you can easily access it, as you will need to upload it to Ideagen Hub later to finish setting up the SSO configuration.

Configuring the SAML app

Identifier and Reply URL

Ideagen Hub

Once you have created the SAML application in Google Workspace, you will need to configure the Identifier and Reply URL. To configure these, you will need to retrieve the Identifier and Reply URL from Ideagen Hub.

To retrieve the URLs:

  1. Sign in to Ideagen Hub. 
  2. Navigate to the Admin Console.
  3. Go to the Security Center.
  4. Select Authentication.
  5. Select Eternal IDP Configuration
  6. Click Add Identity Provider.
  7. Select SAML.
  8. Click Next.
    You will see the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
  9. Copy these values to be configured on your Google Workspace app.

Google Workspace

To paste the URLs:

  1. Go back to Google Workspace.
  2. Click Continue.
    You will be taken to a Service provider details section.
  3. Paste the values for Reply URL (ACS URL) and Entity ID copied from Ideagen Hub.

Note
Entity ID represents an organization or a single Ideagen Hub subdomain.

Start URL

Ideagen Hub

In Ideagen Hub, as part of the SAML configuration, you will have to decide whether to allow IdP-Initiated SAML sign-in.

To configure this:

  1. At the SAML Configuration, select Accept SP-initiated and IdP-initiated SAML assertions only to enable the IdP-initiated workflow, allowing launch of Ideagen Hub from your IdP dashboard (if supported).
  2. Once you allow IdP-initiated SAML assertions, the SAML signing and encryption options will not be supported and will be hidden.
SAML Configuration - Require SP-initiated SAML assertions SAML Configuration - accept SP-initiated and IdP-initiated SAML assetions
  1. Click Apply Configuration.
    You will see the Relay State at the top section of the SAML Configuration.
  2. Copy this value as you will need this to configure your Google Workspace app.

Google Workspace

Once you have created the SAML enterprise application in Google Workspace, to configure the Relay state for IdP-initiated SAML workflow, paste the value for the Relay State that you have copied from Ideagen Hub into the Start URL field.

Configuring attribute mapping

Email attribute

Whether your organisation uses Email as the login identifier, you will need to add the email attribute in Google Workspace and map the email attribute in Ideagen Hub. 

Google Workspace

To configure the attribute in Google Workspace: 

  1. Go to the application in Google Workspace.

  2. Select Primary email under Google Directory attributes.

  3. Set the value to email.
  4. Copy this value.

Ideagen Hub

To map the attribute:

  1. Scroll down to the Attribute mapping section.
  2. Paste the attribute name in the SAML attribute field next to the email User pool attribute.

Username

If your organisation uses Username as login identifier, you must configure an attribute for the preferred username in Google Workspace and map the email and preferred_username attributes in Ideagen Hub.

Google Workspace

To configure the attribute in Google Workspace:

  1. Go to the application in Google Workspace.

  2. Click Add mapping.

  3. Create an attribute with a unique, unchanging value for each user.
    For example, employee_id.
  4. Copy this value.

Ideagen Hub 

To map the attribute:

  1. Scroll down to the Attribute mapping section.

  2. Paste the claim name in the SAML attribute field next to the preferred_username User pool attribute.

Activating the app

When the SAML app is created in Google Workspace, it will be off for everyone by default.

To activate the app:

  1. Click the Arrow next to User access.
  1. Assign users by Groups or Organisation Units.
  2. Set Service status to ON.
  3. Click Override.

Further reading

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page