Setting up SSO on Google Workspace

These instructions are for reference only. When implementing a SAML integration, consider company-specific security policies and best practices. These instructions cover the configuration of SAML on the IdP's side and contain IdP-specific details. 

This article details how to set up an application in Google Workspace for an SSO setup with Haiilo.

Important: SSO Pre-Configuration Steps. If you are planning to allow users to self-select their own groups during onboarding, you must configure the "Can users self-register" and "Email domains" settings in Invitations & Registrations for each group before activating SSO. These settings remain active and govern which groups users can self-select during the onboarding process, even with SSO enabled. If you're using SCIM, you can ignore these settings.

1. Download the metadata from Haiilo

Only a Company Admin can set up Single Sign-On on Haiilo.

  1. On your Haiilo platform, go to Administration > Settings > Single Sign-On.
  2. Select Download metadata file.

2. Set up an application on Google Workspace

You need admin rights in your Google Workspace account to create an app.

Create the app

  1. Log in to the Google Admin Platform.
  2. Go to Apps > Web and mobile apps > Add app > Add custom SAML app.
  3. Give your app a name, e.g., Haiilo, and upload an app icon.
  4. Select Continue.
  5. Select Download metadata to download the app's metadata. You will need this later to finalize the setup in Haiilo.
  6. Select Continue.

Define the basic configuration

  1. Open the metadata file you downloaded from Haiilo in step 1.
  2. Configure the following fields. The information to input can be found in the metadata file.
    • Entity ID: Enter the entityID value from the metadata file.
    • ACS URL: Enter the Location value from the metadata file.
  3. Select Continue.

Edit the claim mappings

  1. Select Add mapping.
  2. Choose Primary email as the Google directory attribute and enter EmailAddress as the App attribute. This attribute is required for the SAML integration to work. It must be case sensitive, cannot contain any other characters, and must include capital 'E' and 'A'.
  3. Optionally, you can add additional attributes. The other supported attributes are:
    • FirstName (Optional)
    • LastName (Optional)
  4. Select Finish.

This is what the claim mapping should look like:

Assign users to the application

To ensure that your users can log in to Haiilo using SSO, they must be assigned to the application in Google Admin. You can assign all users during the setup process or at a later time closer to your launch date. However, during setup, you must assign at least one Company Admin who will complete the SSO setup in Haiilo.

  1. Select User access.
  2. Select On for everyone or restrict access to a certain unit or group.
  3. Select Save.

3. Finalize the SSO setup on Haiilo

  1. Go back to Haiilo > Administration > Settings > Single Sign-On.
  2. Upload the metadata you downloaded from Google Admin by selecting Upload metadata file.
  3. Then, select Test the configuration. You will be directed to test the login. If the login flow works and you can access Haiilo, the configuration has been successful.
    • If you receive an error from Haiilo, please see the "I get an "Oops" error with SAML SSO. Why?" article.
    • If you receive an error from your identity provider, please ensure your account has been assigned to the application and you are allowed to access it.
  4. If everything works as expected, enable SAML by toggling the Enable SAML switcher.

Was this article helpful?

0 out of 0 found this helpful