Incoming SAML 2.0 Single Sign-On with Google Workspace

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Google Workspace. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Google Workspace account will act as the Identity Provider (IdP). 

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Google Workspace is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with their particular Google Workspace instance. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ Google Workspace . 

 

Instructions: Configuring Google Workspace

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab".

Step

Action Image 
1. Login to your G-Suite Admin Console.  
2. Select Apps  apps.png
3. Select SAML apps.  saml-apps.png
4. Click on the + icon on the bottom right of the page to create a new SAML app.   add-saml-app.png
5.  Select SETUP MY OWN CUSTOM APP.  setup-my-own-saml-app.png
6.

Download the certificate and save it for use in a later step. 

Click the DOWNLOAD button and then select NEXT.

 6-download-cert.png
7. Enter an Application Name (for Google Workspace admin reference) and a description/logo if desired; then click NEXT.  idp-download-cert.png
8. Enter your Absorb ACS URL (generally speaking, this URL follows the format of https://company.myabsorb.com/api/rest/v2/authentication/saml
9. The Entity ID is identical to the ACS URL. 
10. Set the Name ID field to the user profile field in Google Workspace that Absorb should match. 
11. Leave the Name ID Format as UNSPECIFIED. service-provider-dertails-unspecified.png
12. Attribute mapping is used for account provisioning (also known as just-in-time provisioning), and is outside the scope of this guide. You may leave this section blank and click FINISH.

An example provisioning setup is shown, however for full details, see our SSO Account Provisioning article here: https://support.absorblms.com/hc/en-us/articles/360014083294-Incoming-SAML-2-0-SSO-Account-Provisioning
attribute-mapping.png
13. Select EDIT SERVICE. edit-service.png
14. Select ON for everyone or navigate to the specific organizational unit you'd like to enable and set the service status to ON for that unit, then save. service-status.png


Instructions: Find Your Login URL 

Once the app is turned on in Google Workspace (step 14 above) it will display in the list of apps in the top right corner of Google Workspace . Note that you may need to click More and scroll down to find it in the list, as shown below. Once the app is turned on in Google Workspace (step 14 above) it will display in the list of apps in the top right corner of Google Workspace.

 Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab".

Step Action Image 
1. Note that you may need to click More and scroll down to find it in the list, as shown below.

choose-more.png

choose-more-B.png

2.

Right click the app icon and ‘Copy link address’.

This is our IdP initiated URL, and we’ll add it to the Login URL field in Absorb Portal Settings.

 copy-link-address.png

 


Instructions: Absorb Setup 

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab".

Step Action Image 
1.

Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings.

If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.

manage-sso-settings.png
2. Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one. 

Click Add and fill in the fields as shown below.

  • Name the connection something descriptive. This name is only visible to admins.
  • The Key field should contain the full certificate that you downloaded in Step 5.
    • Open the PEM file you downloaded in a text editor (e.g. notepad)
    • Remove the entire "BEGIN CERTIFICATE" line
    • Remove the entire "END CERTIFICATE" line
    • Remove all line breaks (you should be left with a single line of encoded text.)
    • Copy this information into the Key field in Absorb.
3. Set the Id Property to the user profile field in Absorb that your Google Workspace Name ID should match. 
4. The Signature Type will be Sha1 
5. The Login URL should be the 'SSO URL' value above. 
6. The Logout URL should be left blank. Google currently does not support SAML Single Log Out as an identity or service provider. 
7.  Set Automatically Redirect as desired.
  • If enabled, unauthenticated users will be redirected to the Google Workspace login screen as soon as they land on your Absorb URL.
  • If disabled, users will see your public dashboard.
 
8. Assign which routes in your portal you would like to associate with this SSO configuration. 
9. Save your configuration.  save-configurations.png

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.