Overview
Get started with simplified user logins by setting up single sign-on (SSO) with G-Suite for your site. After you set up SSO, your users can sign in to the mobile app by using their G-Suite credentials.
Setup
- Sign in to your Google Admin console.
- From the Admin console home page, go to Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
- On the App details page:
- Enter the name of the custom app.
- The icon is optional.
- Click Continue.
- On the Google Identity Provider details page, copy the SSO URL and Entity Id and download the Certificate.
- Click Continue.
- On the Service provider details page:
- Enter the ACS URL: https://sia-sso.azurewebsites.net/Saml2/Acs
- Enter the Entity ID: https://sia-sso.azurewebsites.net/Saml2
- Set Name ID format to EMAIL
- Set Name ID to Basic Information > Primary Email
- Click Continue.
- On the Attribute mapping page add the following mappings:
- First Name -> FirstName
- Last Name -> LastName
- (Optional) Any google directory attribute -> Role
- Choose a google directory attribute that can be used to determine the user's role, like Organization unit path", "Department" or "Cost center".
- We will use the value of this attribute to map users to roles in our system.
- "Organization unit path" is generated based on the user's organization unit.
- Considering the following organizational unit structure the path would be the:
- Root -> /
- Test unit -> /Test unit
- Test unit inside another unit -> /Test unit/Test unit inside another unit
- Click Finish.
Activation
- Go to Apps > Web and mobile apps.
- Select your app.
- Click User access.
- To turn on for everyone in your organization, click On for everyone and then click Save.
- (Optional) If you only want to turn on the app for a set of users or organizational units, please follow the "Turn on your SAML app" section of the official guide.
Email us the setup information
Please send the SSO URL, Entity ID, and Certificate to projects@4schools.net with the subject "SSO - G-Suite" along with the desired default role and an optional role mapping. Please list the possible values which can be in the “Role” attribute and what role should it translate to in our system. The default role will be assigned to all users we are unable to map.
Example setup information:
- SSO URL: https://accounts.google.com/o/saml2/idp?idpid=C00mnztyz
- Entity ID: https://accounts.google.com/o/saml2?idpid=C00mnztyz
- Certificate: your_cert.pem (attached)
- Default role: Other
- (Optional) Role mapping:
- Your role 1 -> Administrator (this is the role it will be mapped to in our system)
- Your role 2 -> Student
Our team will let you know once everything is configured on our end.
Troubleshooting common issues
Error: app_not_configured_for_user
This error is generated by Google and means that the user you tried logging in with does not have access to the SAML app in G-Suite.
Please review the steps in the Turn on your SAML section to make sure that you have setup user access correctly. If everything seems to be set up correctly try turning access Off for everyone, then turning it back On after a minute and see if that solves the issue.