The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.
This article discusses Incoming SAML 2.0 SSO for clients using G Suite and presents a somewhat abridged and focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article the Absorb system will act as the Service provider (SP). Your G Suite instance will act as the Identity Provider (IdP).
Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.
Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although G Suite is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your particular G Suite instance. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ G Suite.
G Suite Setup
The first half of configuration will take place in the G Suite admin portal.
- Login to the G Suite admin portal and select Apps.
- Select SAML Apps, then click the blue + icon in the bottom right to add a new SAML app.
- Choose SETUP MY OWN CUSTOM APP near the bottom.
- Download the certificate OR the IDP metadata file. The only piece of information we need from this page is the X509 certificate which will be pasted in Absorb Portal Settings.
- Enter in an Application Name, Description, etc. This doesn’t impact the functionality the SSO, but your end users will see it in G Suite.
- Set the ACS URL and Entity ID fields to the same value, which is the one described in the Absorb SAML helpdesk article. The format is https://company.myabsorb.com/Account/SAML (replace company.myabsorb.com with whatever your Absorb portal URL is). Set the other fields as shown below.
- No attribute mapping is needed – click Finish.
- Navigate to the settings for this new SAML App, click the three dots, and choose ON for everyone or ON for some organizations (as desired). You will likely want to enable this for only limited users to start. Note that turning the app on in G Suite is required to finalize the setup in Absorb, so there will be a brief window where it’s on in G Suite but not in Absorb. Completing this config during non-peak hours is probably preferable.
- Unfortunately Absorb’s implementation of SP initiated SAML SSO is not compatible with G Suite at this time. G Suite does not expressly support an IdP initiated workflow (no URL for IdP initiated login is provided by default), but it’s still possible to retrieve the IdP initiated login URL using the following steps.
Once the app is turned on in G Suite (step 9 above) it will display in the list of apps in the top right corner of Google/G Suite. Note that you may need to click More and scroll down to find it in the list, as shown below.
- Right click the SAML app icon and ‘Copy link address’. This is our IdP initiated URL, and we’ll add it to the Login URL field in Absorb Portal Settings.
Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one.
Click Add and fill in the fields as shown below.
- The ‘Key’ field should contain the full x509 certificate that you downloaded in step 5.
- The ‘Id Property‘ should match whatever Name ID value was chosen in Step 7 – usual email address.
- The ‘Login URL’ should be the IdP initiated URL from step 11.
- The 'Logout URL' can be whatever you like – this is the URL users will be directed to after logged out of Absorb (can also be left blank which just redirects to Absorb login page).
- Set Automatically Redirect as desired.
Remember to turn the SAML app on for all users in G Suite once you are happy with testing.