Using Security Assertion Markup Language (SAML), a user can use their managed Google account credentials to sign in to enterprise cloud applications via single sign-on (SSO). An identity and access management (IAM) service provides administrators with a single place to manage all users and cloud applications. You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IAM service provides your users with a unified sign-on across all their enterprise cloud applications.
- An active G Suite plan
- An administrator account
Download Your Metadata
- From your web browser, sign in to your Admin console as a super administrator.
- Click Apps > SAML apps.
- Click the plus (+) icon in the bottom corner. The Enable SSO for SAML Application window opens.
- Click Set up my own custom app.
The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
- Download the IDP metadata, and then come back to the admin console and click Next.
Step 1: Enter service provider (SP) details in Google Admin console
- In the Basic Application Information window, add an application name and description.
- (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
- In the Service Provider Details section, enter the following URLs into the Entity ID, ACS URL, and Start URL fields:
ACS URL: https://<subdomain>.grovo.com/sso/saml2/saml-assertion
Entity ID: https://<subdomain>.grovo.com/sso/saml2/metadata
Start URL: https://<subdomain>.grovo.com
- Leave Signed Response unchecked.
- Set Name ID to Primary Email and the Name ID Format to Email
- Click Next.
- Click Add new mapping and enter a new name for the attribute you want to map. Grovo requires the following four attributes which must be entered exactly:
- Email Address
- First Name
- Last Name
- In the drop-down list, select the Category and User attributes to map the attribute from the Google profile.
- Click Finish.
Step 2: Enable the Grovo app
- Sign in to your Admin console.
- Go to Apps > SAML apps.
- Select Grovo.
At the top of the gray box, click Moreand choose:
- On for everyone to turn on the service for all users (click again to confirm).
- Off to turn off the service for all users (click again to confirm).
- On for some organizations to change the setting only for some users.
- Ensure that your Grovo user account email IDs match those in your Google domain.
Step 3: Configuring Grovo (SP)
Now knowing the required values, the Master Administrator needs to configure Grovo, in:
"Settings" > "Integrations" > SAML
Using the data from the XML file from Google you downloaded in Step 1, provide the EntityId, SingleSignOnService EndPoint (Post), and X509Certificate once an enterprise subdomain is specified.
Step 4: Verify that SSO is working
- Close all browser windows.
- Open https://<subdomain>.grovo.com and attempt to sign in. You should be automatically redirected to the Google sign in page.
- Enter your sign in credentials.
- After your sign in credentials are authenticated you're automatically redirected back to Grovo.